OpenRFC.org Requests For Comments ... for the community
Welcome to OpenRFC
Home Full RFC index RFC humour Our technology
 
<< Previous <<      RFC 4011      >> Next >>    
Policy Based Management MIB.
S. Waldbusser, J. Saperia, T. Hongal. March 2005.

 
[Direct link][Download PDF version][Download text version]
 

Network Working Group S. Waldbusser Request for Comments: 4011 Nextbeacon Category: Standards Track J. Saperia JDS Consulting, Inc. T. Hongal Riverstone Networks, Inc. March 2005 Policy Based Management MIB Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, this MIB defines objects that enable policy-based monitoring and management of Simple Network Management Protocol (SNMP) infrastructures, a scripting language, and a script execution environment. Table of Contents 1. The Internet-Standard Management Framework .................. 3 2. Overview .................................................... 4 3. Policy-Based Management Architecture ........................ 4 4. Policy-Based Management Execution Environment ............... 10 4.1. Terminology ........................................... 10 4.2. Execution Environment - Elements of Procedure ......... 10 4.3. Element Discovery ..................................... 11 4.3.1. Implementation Notes .......................... 12 4.4. Element Filtering ..................................... 13 4.4.1. Implementation Notes .......................... 13 4.5. Policy Enforcement .................................... 13 4.5.1. Implementation Notes .......................... 14 5. The PolicyScript Language ................................... 14 5.1. Formal Definition ..................................... 15 Waldbusser, et al. Standards Track [Page 1]
RFC 4011 Policy Based Management MIB March 2005 5.2. Variables ............................................. 18 5.2.1. The Var Class ................................. 19 5.3. PolicyScript QuickStart Guide ......................... 23 5.3.1. Quickstart for C Programmers .................. 25 5.3.2. Quickstart for Perl Programmers ............... 25 5.3.3. Quickstart for TCL Programmers ................ 25 5.3.4. Quickstart for Python Programmers ............. 26 5.3.5. Quickstart for JavaScript/ECMAScript/JScript Programmers ................................... 26 5.4. PolicyScript Script Return Values ..................... 26 6. Index Information for `this element' ........................ 27 7. Library Functions ........................................... 28 8. Base Function Library ....................................... 29 8.1. SNMP Library Functions ................................ 29 8.1.1. SNMP Operations on Non-Local Systems .......... 30 8.1.2. Form of SNMP Values ........................... 32 8.1.3. Convenience SNMP Functions .................... 34 8.1.3.1. getVar() ............................ 34 8.1.3.2. exists() ............................ 34 8.1.3.3. setVar() ............................ 35 8.1.3.4. searchColumn() ...................... 36 8.1.3.5. setRowStatus() ...................... 38 8.1.3.6. createRow() ......................... 39 8.1.3.7. counterRate() ....................... 42 8.1.4. General SNMP Functions ........................ 44 8.1.4.1. newPDU() ............................ 45 8.1.4.2. writeVar() .......................... 45 8.1.4.3. readVar() ........................... 46 8.1.4.4. snmpSend() .......................... 47 8.1.4.5. readError() ......................... 48 8.1.4.6. writeBulkParameters() ............... 48 8.1.5. Constants for SNMP Library Functions .......... 49 8.2. Policy Library Functions .............................. 51 8.2.1. elementName() ................................. 51 8.2.2. elementAddress() .............................. 51 8.2.3. elementContext() .............................. 52 8.2.4. ec() .......................................... 52 8.2.5. ev() .......................................... 52 8.2.6. roleMatch() ................................... 52 8.2.7. Scratchpad Functions .......................... 53 8.2.8. setScratchpad() ............................... 55 8.2.9. getScratchpad() ............................... 56 8.2.10. signalError() ................................. 57 8.2.11. defer() ....................................... 57 8.2.12. fail() ........................................ 58 8.2.13. getParameters() ............................... 58 8.3. Utility Library Functions ............................. 59 8.3.1. regexp() ...................................... 59 Waldbusser, et al. Standards Track [Page 2]
RFC 4011 Policy Based Management MIB March 2005 8.3.2. regexpReplace() ............................... 60 8.3.3. oidlen() ...................................... 60 8.3.4. oidncmp() ..................................... 60 8.3.5. inSubtree() ................................... 60 8.3.6. subid() ....................................... 61 8.3.7. subidWrite() .................................. 61 8.3.8. oidSplice() ................................... 61 8.3.9. parseIndex() .................................. 62 8.3.10. stringToDotted() .............................. 63 8.3.11. integer() ..................................... 64 8.3.12. string() ...................................... 64 8.3.13. type() ........................................ 64 8.3.14. chr() ......................................... 64 8.3.15. ord() ......................................... 64 8.3.16. substr() ...................................... 65 8.4. General Functions ..................................... 65 9. International String Library ................................ 65 9.1. stringprep() .......................................... 66 9.1.1. Stringprep Profile ............................ 66 9.2. utf8Strlen() .......................................... 67 9.3. utf8Chr() ............................................. 68 9.4. utf8Ord() ............................................. 68 9.5. utf8Substr() .......................................... 68 10. Schedule Table .............................................. 69 11. Definitions ................................................. 70 12. Relationship to Other MIB Modules ........................... 113 13. Security Considerations ..................................... 114 14. IANA Considerations ......................................... 117 15. Acknowledgements ............................................ 118 16. References .................................................. 118 16.1. Normative References .................................. 118 16.2. Informative References ................................ 119 Authors' Addresses .............................................. 120 Full Copyright Statement ........................................ 121 1. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [16]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [2], STD 58, RFC 2579 [3], and STD 58, RFC 2580 [4]. Waldbusser, et al. Standards Track [Page 3]
RFC 4011 Policy Based Management MIB March 2005 2. Overview Large IT organizations have developed management strategies to cope with the extraordinarily large scale and complexity of today's networks. In particular, they have tried to configure the network as a whole by describing and implementing high-level business policies, rather than manage device by device, where orders of magnitude more decisions (and mistakes) may be made. The following are examples of "business policies": - All routers will run code version 6.2. - On-site contractors will only be connected to ports that are configured with special security restrictions. - All voice over cable ports in California must provide free local calling. - Apply special forwarding to all ports whose customers have paid for premium service. Each of these policies could represent an action applied to hundreds of thousands of variables. To automate this practice, customers need software tools that will implement business policies across their networks, as well as standard protocols that will ensure that policies can be applied to all of their devices, regardless of the vendor. This practice is called Policy-Based Management. This document defines managed objects for the Simple Network Management Protocol that are used to distribute policies in a common form throughout the network. 3. Policy-Based Management Architecture Policy-based management is the practice of applying management operations globally on all managed elements that share certain attributes. Policies are intended to express a notion of: if (an element has certain characteristics) then (apply an operation to that element) Waldbusser, et al. Standards Track [Page 4]
RFC 4011 Policy Based Management MIB March 2005 Policies take the following normal form: if (policyCondition) then (policyAction) A policyCondition is a script that results in a boolean to determine whether an element is a member of a set of elements upon which an action is to be performed. A policyAction is an operation performed on an element or a set of elements. These policies are most often executed on or near managed devices where the elements live (and thus their characteristics may be easily inspected) and where operations on those elements will be performed. A management station is responsible for distributing an organization's policies to all the managed devices in the infrastructure. The pmPolicyTable provides managed objects for representing a policy on a managed device. An element is an instance of a physical or logical entity and is embodied by a group of related MIB variables, such as all the variables for interface 7. This enables policies to be expressed more efficiently and concisely. Elements can also model circuits, CPUs, queues, processes, systems, etc. Conceptually, policies are executed in the following manner: for each element for which policyCondition returns true, execute policyAction on that element For example: If (interface is fast ethernet) then (apply full-duplex mode) If (interface is access) then (apply security filters) If (circuit w/gold service paid for) then (apply special queuing) Each unique combination of policy and element is called an execution context. Within a particular execution context, the phrase 'this element' is often used to refer to the associated element, as most policy operations will be applied to 'this element'. The address of 'this element' contains the object identifier of any attribute of the element, the SNMP context the element was discovered in, and the address of the system on which the element was discovered. Waldbusser, et al. Standards Track [Page 5]
RFC 4011 Policy Based Management MIB March 2005 Policies can manage elements on the same system: ----------------------------------------------------- | | | Managed System | | | | | | ------------------ Managed Elements | | | | interfaces | | | Policy Manager | manages... circuits | | | | queues | | ------------------ processes | | ... | | | ----------------------------------------------------- or they can manage elements on other systems: -------------------------- | Managed System | -------------------------- | Managed Elements | | | | interfaces | | Management Station or | | circuits | | Mid-Level Manager | | ... | | | -------------------------- | ------------------ | manages... | | Policy Manager | | -------------------------- | ------------------ | | Managed System | | | | Managed Elements | -------------------------- | interfaces | | circuits | | ... | -------------------------- ... PolicyConditions have the capability of performing comparison operations on SNMP variables, logical expressions, and other functions. Many device characteristics are already defined in MIB Modules and are easy to include in policyCondition expressions (ifType == ethernet, frCircuitCommittedBurst < 128K, etc). However, there are important characteristics that aren't currently in MIB objects, and, worse, it is not current practice to store this information on managed devices. Therefore, this document defines MIB objects for this information. To meet today's needs there are three missing areas: roles, capabilities, and time. Waldbusser, et al. Standards Track [Page 6]
RFC 4011 Policy Based Management MIB March 2005 Roles A role is an administratively specified characteristic of a managed element. As a selector for policies, it determines the applicability of the policy to a particular managed element. Some examples of roles are political, financial, legal, geographical, or architectural characteristics, typically not directly derivable from information stored on the managed system. For example, "paid for premium service" or "is plugged into a UPS" are examples of roles, whereas the "percent utilization of a link" would not be. Some types of information one would put into a role include the following: political - describes the role of a person or group of people, or of a service that a group of people uses. Examples: executive, sales, outside-contractor, customer. If (attached user is executive) then (apply higher bandwidth) If (attached user is outside-contractor) then (restrict access) financial/legal - describes what financial consideration was received. Could also include contractual or legal considerations. Examples: paid, gold, free, trial, demo, lifeline. If (gold service paid for) then (apply special queuing) geographical - describes the location of an element. Examples: California, Headquarters, insecure conduit. If (interface leaves the building) then (apply special security) architectural - describes the network architects "intent" for an element. Examples: backup, trunk. If (interface is backup) then (set ifAdminStatus = down) Roles in this model are human-defined strings that can be referenced by policy code. The role table in this MIB may be used to assign role strings to elements and to view all role string assignments. Implementation-specific mechanisms may also be used to assign role strings; however, these assignments must be visible in the role table. Multiple roles may be assigned to each element. Because policy code has access to data in MIB objects that represent the current state of the system and (in contrast) role strings are more static, it is recommended that role strings not duplicate information available in MIB objects. Role strings generally should be used to describe information not accessible in MIB objects. Waldbusser, et al. Standards Track [Page 7]
RFC 4011 Policy Based Management MIB March 2005 Policy scripts may inspect role assignments to make decisions based on whether an element has a particular role assigned to it. The pmRoleTable allows a management station to learn what roles exist on a managed system. The management station may choose not to install policies that depend on a role that does not exist on any elements in the system. The management station can then register for notifications of new roles. Upon receipt of a pmNewRoleNotification, it may choose to install new policies that make use of that new role. Capabilities The capabilities table allows a management station to learn what capabilities exist on a managed system. The management station may choose not to install policies that depend on a capability that does not exist on any elements in the system. The management station can then register for notifications of new capabilities. Upon receipt of a pmNewCapabilityNotification, it may choose to install new policies that make use of that new capability. Time Managers may wish to define policies that are intended to apply for certain periods of time. This might mean that a policy is installed and is dormant for a period of time, becomes ready, and then later goes dormant again. Sometimes these time periods will be regular (Monday-Friday 9-5), and sometimes ad hoc. This MIB provides a schedule table that can schedule when a policy is ready and when it is dormant. Waldbusser, et al. Standards Track [Page 8]
RFC 4011 Policy Based Management MIB March 2005 A policy manager contains the following: ------------------------------------------------------- | Policy Manager | | | | ---------------------------------------- | | | Agent | | | | | | | | --------------------------------- | | | | | Policy Download and Control | | | | | | pmPolicyTable | | | | | | pmElementTypeRegTable | | | | | | pmSchedTable | | | | | --------------------------------- | | | | | | | | --------------------------------- | | | | | Policy Environment Control | | | | | | pmRoleTable | | | | | | pmCapabilitiesTables | | | | | --------------------------------- | | | | | | | | --------------------------------- | | | | | Policy Monitoring | | | | | | pmTrackingTables | | | | | | pmDebuggingTable | | | | | --------------------------------- | | | ---------------------------------------- | | | | -------------------------------- | | | Execution Environment | | | | | | | | ----------------------- | | | | | Policy Scheduler | | | | | ----------------------- | | | | ----------------------- | | | | | Language | | | | | ----------------------- | | | | ----------------------- | | | | | Function Library | | | | | ----------------------- | | | -------------------------------- | ------------------------------------------------------- Waldbusser, et al. Standards Track [Page 9]
RFC 4011 Policy Based Management MIB March 2005 4. Policy-Based Management Execution Environment 4.1. Terminology Active Schedule - A schedule specifies certain times that it will be considered active. A schedule is active during those times. Valid Policy - A valid policy is a policy that is fully configured and enabled to run. A valid policy may run unless it is linked to a schedule entry that says the policy is not currently active. Ready Policy - A ready policy is a valid policy that either has no schedule or is linked to a schedule that is currently active. Precedence Group - Multiple policies can be assigned to a precedence group with the resulting behavior that for each element, of the ready policies that match the condition, only the one with the highest precedence value will be active. For example, if there is a default bronze policy that applies to any interface and a special policy for gold interfaces, the higher precedence of the gold policy will ensure that it is run on gold ports and that the bronze policy isn't. Active Execution Context - An active execution context is a pairing of a ready policy with an element that matches the element type filter and the policy condition. If there are multiple policies in the precedence group, it is also necessary that no higher precedence policy in the group match the policy condition. Run-Time Exception (RTE) - A run-time exception is a fatal error caused in language or function processing. If, during the invocation of a script, a run-time exception occurs, execution of that script is immediately terminated. If a policyCondition experiences a run-time exception while processing an element, the element is not matched by the condition and the associated action will not be run on that element. A run-time exception can cause an entry to be added to the pmDebuggingTable and will be reflected in the pmTrackingPEInfo object. 4.2. Execution Environment - Elements of Procedure There are several steps performed in order to execute policies in this environment: - Element Discovery - Element Filtering - Policy Enforcement Waldbusser, et al. Standards Track [Page 10]
RFC 4011 Policy Based Management MIB March 2005 4.3. Element Discovery An element is an instance of a physical or logical entity. Examples of elements include interfaces, circuits, queues, CPUs, and processes. Sometimes various attributes of an entity will be described through tables in several standard and proprietary MIB Modules. As long as the indexing is consistent between these tables, the entity can be modeled as one element. For example, the ifTable and the dot3Stats table both contain attributes of interfaces and share the same index (ifIndex), therefore they can be modeled as one element type. The Element Type Registration table allows the manager to learn what element types are being managed by the system and to register new types, if necessary. An element type is registered by providing the OID of an SNMP object (i.e., without the instance). Each SNMP instance that exists under that object is a distinct element. The index part of the discovered OID will be supplied to policy conditions and actions so that this code can inspect and configure the element. The agent can determine the index portion of discovered OIDs based on the length of the pmElementTypeRegOIDPrefix for the portion of the MIB that is being retrieved. For example, if the OIDPrefix is 'ifEntry', which has 9 subids, the index starts on the 11th subid (skipping the subidentifier for the column; e.g., ifSpeed). For each element that is discovered, the policy condition is called with the element's name as an argument to see whether the element is a member of the set the policy acts upon. Note that agents may automatically configure entries in this table for frequently used element types (interfaces, circuits, etc.). In particular, it may configure elements for which discovery is optimized in one or both of the following ways: 1. The agent may discover elements by scanning internal data structures as opposed to issuing local SNMP requests. It is possible to recreate the exact semantics described in this table even if local SNMP requests are not issued. 2. The agent may receive asynchronous notification of new elements (for example, "card inserted") and use that information to create elements instantly rather than through polling. A similar feature might be available for the deletion of elements. Note that upon restart, the disposition of agent-installed entries is described by the pmPolicyStorageType object. Waldbusser, et al. Standards Track [Page 11]
RFC 4011 Policy Based Management MIB March 2005 A special element type "0.0" represents the "system element". "0.0" represents the single instance of the system itself and provides an execution context for policies to operate on "the system" and on MIB objects modeled as scalars. For example, "0.0" gives an execution context for policy-based selection of the operating system code version (likely modeled as a scalar MIB object). The element type "0.0" always exists. As a consequence, no actual discovery will take place and the pmElementTypeRegMaxLatency object will have no effect for the "0.0" element type. However, if the "0.0" element type is not registered in the table, policies will not be executed on the "0.0" element. If the agent is discovering elements by polling, it should check for new elements no less frequently than pmElementTypeRegMaxLatency would dictate. When an element is first discovered, all policyConditions are run immediately, and policyConditions that match will have the associated policyAction run immediately. Subsequently, the policyCondition will be run regularly for the element, with no more than pmPolicyConditionMaxLatency milliseconds elapsing between each invocation. Note that if an implementation has the ability to be alerted immediately when a particular type of element is created, it is urged to discover that type of element in this fashion rather than through polling, resulting in immediate configuration of the discovered element. 4.3.1. Implementation Notes Note that although the external behavior of this registration process is defined in terms of the walking of MIB tables, implementation strategies may differ. For example, commonly used element types (such as interface) may have purpose-built element discovery capability built-in and advertised to managers through an entry in the pmElementTypeRegTable. Before registering an element type, a manager is responsible for inspecting the table to see whether it is already registered (either by the agent or by another manager). Note that entries that differ only in the last subid (which specifies which object is an entry) are effectively duplicates and should be treated as such by the manager. The system that implements the Policy-Based Management MIB may not have knowledge of the format of object identifiers in other MIB Modules. Therefore it is inappropriate for it to check these OIDs for errors. It is the responsibility of the management station to register well-formed object identifiers. For example, if an extra sub-identifier is supplied when the ifTable is registered, no Waldbusser, et al. Standards Track [Page 12]
RFC 4011 Policy Based Management MIB March 2005 elements will be discovered. Similarly, if a sub-identifier is missing, every element will be discovered numerous times (once per column) and none of the element addresses will be well formed. 4.4. Element Filtering The first step in executing a policy is to see whether the policy is ready to run based on its schedule. If the pmPolicySchedule object is equal to zero, there is no schedule defined, and the policy is always ready. If the pmPolicySchedule object is non-zero, then the policy is ready only if the referenced schedule group contains at least one valid schedule entry that is active at the current time. If the policy is ready, the next step in executing a policy is to see which elements match the policy condition. The policy condition is called once for each element and runs to completion. The element's name is the only argument that is passed to the condition code for each invocation. No state is remembered within the policy script from the previous invocation of 'this element' or from the previous invocation of the policy condition, except for state accessible through library functions. Two notable examples of these are the scratchpad functions, which explicitly provide for storing state, and the SNMP functions, which can store state in local or remote MIB objects. If any run-time exception occurs, the condition will terminate immediately for 'this element'. If the condition returns non-zero, the corresponding policy action will be executed for 'this element'. If an element matches a condition and it had not matched that condition the last time it was checked (or if it is a newly discovered element), the associated policyAction will be executed immediately. If the element had matched the condition at the last check, it will remain in the set of elements whose policyAction will be run within the policyActionMaxLatency. 4.4.1. Implementation Notes Whether policy conditions are multi-tasked is an implementation- dependent matter. Each condition/element combination is conceptually its own process and can be scheduled sequentially, or two or more could be run simultaneously. 4.5. Policy Enforcement For each element that has returned non-zero from the policy condition, the corresponding policy action is called. The element's name is the only argument that is passed to the policy action for each invocation. Except for state accessible from library functions, Waldbusser, et al. Standards Track [Page 13]
RFC 4011 Policy Based Management MIB March 2005 no state is remembered from the policy condition evaluation, or from the previous condition/action invocation of 'this element' or from the previous invocation of the policy condition or action on any other element. If any run-time exception occurs, the action will terminate immediately for 'this element'. 4.5.1. Implementation Notes How policy actions are multi-tasked is an implementation-dependent matter. Each condition/element combination is conceptually its own process and can be scheduled sequentially, or two or more could be run simultaneously. 5. The PolicyScript Language Policy conditions and policy actions are expressed with the PolicyScript language. The PolicyScript language is designed to be a small interpreted language that is simple to understand and implement; it is designed to be appropriate for writing small scripts that make up policy conditions and actions. PolicyScript is intended to be familiar to programmers that know one of several common languages, including Perl and C. Nominally, policyScript is a subset of the C language; however, it was desirable to have access to C++'s operator overloading (solely to aid in documenting the language). Therefore, PolicyScript is defined formally as a subset of the C++ language in which many of the operators are overloaded as part of the "var" class. Note, however, that a PolicyScript program cannot further overload operators, as the syntax to specify overloading is not part of the PolicyScript syntax. A subset was used to provide for easy development of low-cost interpreters of PolicyScript and to take away language constructs that are peculiar to the C/C++ languages. For example, it is expected that both C and Perl programmers will understand the constructs allowed in PolicyScript. Some examples of the C/C++ features that are not available are function definitions, pointer variables, structures, enums, typedefs, floating point and pre-processor functions (except for comments). This language is formally defined as a subset of ISO C++ [10] but only allows constructs that may be expressed in the Extended Backus- Naur Form (EBNF) documented here. This is because although EBNF doesn't fully specify syntactical rules (it allows constructs that are invalid) and doesn't specify semantic rules, it can successfully be used to define the subset of the language that is required for Waldbusser, et al. Standards Track [Page 14]
RFC 4011 Policy Based Management MIB March 2005 conformance to this specification. Unless explicitly described herein, the meaning of any construct expressed in the EBNF can be found by reference to the ISO C++ standard. The use of comments and newlines are allowed and encouraged in order to promote readability of PolicyScript code. Comments begin with '/*' and end with '*/' or begin with '//' and go until the end of the line. One subset is not expressible in the EBNF syntax: all variables within an instance of a PolicyScript script are within the same scope. In other words, variables defined in a block delimited with '{' and '}' are not in a separate scope from variables in the enclosing block. PolicyScript code must be expressed in the ASCII character set. In the EBNF used here, terminals are character set members (singly or in a sequence) that are enclosed between two single-quote characters or described as a phrase between '<' and '>' characters. Nonterminals are a sequence of letters and underscore characters. A colon (:) following a nonterminal introduces its definition, a production. In a production, a '|' character separates alternatives. The '(' and ')' symbols group the enclosed items. The '[' and ']' symbols indicate that the enclosed items are optional. A '?' symbol following an item indicates that the item is optional. A '*' symbol following an item indicates that the item is repeated zero, one, or more times. A '+' symbol following an item indicates that the item is repeated one or more times. The symbol '--' begins a comment that ends at the end of the line. 5.1. Formal Definition The PolicyScript language follows the syntax and semantics of ISO C++ [10], but is limited to that which can be expressed in the EBNF below. The following keywords are reserved words and cannot be used in any policy script. This prevents someone from using a common keyword in another language as an identifier in a script, thereby confusing the meaning of the script. The reserved words are: auto, case, char, const, default, do, double, enum, extern, float, goto, inline, int, long, register, short, signed, sizeof, static, struct, switch, typedef, union, unsigned, void, and volatile. Waldbusser, et al. Standards Track [Page 15]
RFC 4011 Policy Based Management MIB March 2005 Any syntax error, use of a reserved keyword, reference to an unknown identifier, improper number of function arguments, error in coercing an argument to the proper type, exceeding local limitations on string length, or exceeding local limitations on the total amount of storage used by local variables will cause an RTE. PolicyScript permits comments using the comment delimiters, '/*' to '*/', or the start of comment symbol '//'. -- Lexical Grammar letter: '_' | 'a' | 'b' | 'c' | 'd' | 'e' | 'f' | 'g' | 'h' | 'i' | 'j' | 'k' | 'l' | 'm' | 'n' | 'o' | 'p' | 'q' | 'r' | 's' | 't' | 'u' | 'v' | 'w' | 'x' | 'y' | 'z' | 'A' | 'B' | 'C' | 'D' | 'E' | 'F' | 'G' | 'H' | 'I' | 'J' | 'K' | 'L' | 'M' | 'N' | 'O' | 'P' | 'Q' | 'R' | 'S' | 'T' | 'U' | 'V' | 'W' | 'X' | 'Y' | 'Z' digit: '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' non_zero: '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' oct_digit: '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' hex_digit: digit | 'a' | 'b' | 'c' | 'd' | 'e' | 'f' | 'A' | 'B' | 'C' | 'D' | 'E' | 'F' escape_seq: '\'' | '\"' | '\?' | '\\' | '\a' | '\b' | '\f' | '\n' | '\r' | '\t' | '\v' | '\' oct_digit+ | '\x' hex_digit+ non_quote: Any character in the ASCII character set except single quote ('), double quote ("), backslash ('\'), or newline. c_char: non_quote | '"' | escape_seq string_literal: '"' s_char* '"' s_char: non_quote | ''' | escape_seq char_constant: ''' c_char ''' decimal_constant: non_zero digit* Waldbusser, et al. Standards Track [Page 16]
RFC 4011 Policy Based Management MIB March 2005 octal_constant: '0' oct_digit* hex_constant: ( '0x' | '0X' ) hex_digit+ integer_constant: decimal_constant | octal_constant | hex_constant identifier: letter ( letter | digit )* -- Phrase Structure Grammar -- Expressions primary_expr: identifier | integer_constant | char_constant | string_literal | '(' expression ')' postfix_expr: primary_expr | identifier '(' argument_expression_list? ')' | postfix_expr '++' | postfix_expr '--' | postfix_expr '[' expression ']' argument_expression_list: assignment_expr | argument_expression_list ',' assignment_expr unary_expr: postfix_expr | unary_op unary_expr unary_op: '+' | '-' | '~' | '!' | '++' | '--' binary_expr: unary_expr | binary_expr binary_op unary_expr binary_op: '||' | '&&' | '|' | '^' | '&' | '!=' | '==' | '>=' | '<=' | '>' | '<' | '>>' | '<<' | '-' | '+' | '%' | '/' | '*' assignment_expr: binary_expr | unary_expr assignment_op assignment_expr assignment_op: '=' | '*=' | '/=' | '%=' | '+=' | '-=' | '<<=' | '>>=' | '&=' | '^=' | '|=' expression: assignment_expr | expression ',' assignment_expr -- Declarations declaration: 'var' declarator_list ';' Waldbusser, et al. Standards Track [Page 17]
RFC 4011 Policy Based Management MIB March 2005 declarator_list: init_declarator | declarator_list ',' init_declarator init_declarator: identifier [ '=' assignment_expr ] -- Statements statement: declaration | compound_statement | expression_statement | selection_statement | iteration_statement | jump_statement compound_statement: '{' statement* '}' expression_statement: expression? ';' selection_statement: 'if' '(' expression ')' statement | 'if' '(' expression ')' statement 'else' statement iteration_statement: 'while' '(' expression ')' statement | 'for' '(' expression? ';' expression? ';' expression? ')' statement jump_statement: 'continue' ';' | 'break' ';' | 'return' expression? ';' -- Root production PolicyScript: statement* 5.2. Variables To promote shorter scripts and ease in writing them, PolicyScript provides a loosely typed data class, "var", that can store both integer and string values. The native C++ types (char, int, etc.) are thus unnecessary and have not been carried into the subset that comprises this language. The semantics of the "var" type are modeled after those of ECMAScript[17]. For example: var number = 0, name = "IETF"; Waldbusser, et al. Standards Track [Page 18]
RFC 4011 Policy Based Management MIB March 2005 This language will be executed in an environment where the following typedef is declared. (Note that this typedef will not be visible in the policyCondition or policyAction code.) typedef ... var; Although this declaration is expressed here as a typedef, the 'typedef' keyword itself is not available to be used in PolicyScript code. 5.2.1. The Var Class A value is an entity that takes on one of two types: string or integer. The String type is the set of all finite ordered sequences of zero or more 8-bit unsigned integer values ("elements"). The string type can store textual data as well as binary data sequences. Each element is considered to occupy a position within the sequence. These positions are indexed with nonnegative integers. The first element (if any) is at position 0, the next element (if any) at position 1, and so on. The length of a string is the number of elements (i.e., 8-bit values) within it. The empty string has length zero and therefore contains no elements. The integer type is the set of all integer values in the range -9223372036854775808 (-2^63) to 18446744073709551615 (2^64-1). If an integer operation would cause a (positive) overflow, then the result is returned modulo 2^64. If an integer operation would cause a (negative) underflow, then the result is undefined. Integer division rounds toward zero. Prior to initialization, a var object has type String and a length of zero. The policy script runtime system performs automatic type conversion as needed. To clarify the semantics of certain constructs it is useful to define a set of conversion operators: ToInteger(), ToString(), ToBoolean(), and Type(). These operators are not a part of the language; they are defined here to aid the specification of the semantics of the language. The conversion operators are polymorphic; that is, they can accept a value of any standard type. Waldbusser, et al. Standards Track [Page 19]
RFC 4011 Policy Based Management MIB March 2005 ToInteger The operator ToInteger converts its argument to a value of type Integer according to the following table: Integer The result equals the input argument (no conversion). String See grammar and note below. integer_constant The result equals the input argument (no conversion). string_literal See grammar and note below. char_constant See grammar and note below. ToInteger Applied to Strings ToInteger applied to the String Type string_literal and to char_constants applies the following grammar to the input. If the grammar cannot interpret the string as an expansion of numeric_string, then an RTE is generated. Note that a numeric_string that is empty or contains only white space is converted to 0. -- EBNF for numeric_string numeric_string : white_space* numeric? white_space* white_space : <TAB> | <SP> | <NBSP> | <FF> | <VT> | <CR> | <LF> | <LS> | <PS> | <USP> numeric : signed_decimal | hex_constant | octal_constant | enum_decimal signed_decimal: [ '-' | '+' ] decimal_constant enum_decimal: [ letter | digit | '-' ]* '(' decimal_constant ')' -- decimal_constant, hex_constant, and octal_constant are defined -- in the PolicyScript EBNF described earlier. Note that when the enum_decimal form is converted, the sequence of characters before the parenthesis and the pair of parenthesis themselves are completely ignored, and the decimal_constant inside the parenthesis is converted. Thus, "frame-relay(32)" translates to the integer 32. Although this will make the script more readable than using the constant "32", the burden is on the code writer to be accurate, as "ethernet-csmacd(32)" and "frame-relay(999)" will also be accepted. Waldbusser, et al. Standards Track [Page 20]
RFC 4011 Policy Based Management MIB March 2005 ToString The operator ToString converts its argument to a value of type String according to the following table: Integer Return the string containing the decimal representation of the input argument in the form of signed_decimal, except that no leading '+' will be used. String Return the input argument (no conversion) integer_constant Return the string containing the decimal representation of the input argument in the form of signed_decimal except that no leading '+' will be used. string_literal Return the input argument (no conversion) char_constant Return the string of length one containing the value of the input argument. ToBoolean The operator ToBoolean converts its argument to a value of type Integer according to the following table: Integer The result is 0 if the argument is 0. Otherwise the result is 1. String The results is 0 if the argument is the empty string. Otherwise the result is 1. integer_constant The result is 0 if the argument is 0. Otherwise the result is 1. string_literal The result is 0 if the argument is the empty string. Otherwise the result is 1. char_constant The result is 1. Operators The rules below specify the type conversion rules for the various operators. A++: A = ToInteger(A); A++; A--: A = ToInteger(A); A--; ++A: A = ToInteger(A); ++A; --A: A = ToInteger(A); --A; +A: ToInteger(A); -A: -1 * ToInteger(A); ~A: ToInteger(A); !A: !ToBoolean(A); A * B, A - B, A & B, A ^ B , A | B, A << B, A >> B: ToInteger(A) <operator> ToInteger(B) Waldbusser, et al. Standards Track [Page 21]
RFC 4011 Policy Based Management MIB March 2005 A / B, A % B: if (ToInteger(B) == 0) RTE, terminate; else ToInteger(A) <operator> ToInteger(B) A + B: if (Type(A) == String || Type(B) == String) ToString(A) concatenated with ToString(B) else A + B Compound Assignment (<operator>=): Simply follow rules above. Note that type of LHS (Left Hand Side) may be changed as a result. A < B, A > B, A <= B, A >= B, A == B, A != B: if (Type(A) == String && Type(B) == String) lexically compare strings with strcmp() logic else ToInteger(A) <operator> ToInteger(B) A && B: if (ToBoolean(A)) ToBoolean(B); else false; A || B: if (ToBoolean(A)) true; else ToBoolean(B); if(A): if (ToBoolean(A)) while(A): while(ToBoolean(A)) for(...; A; ...): for(...; ToBoolean(A); ...) A[B] as a RHS (Right Hand Side) value: if (Type(A) != String || ToInteger(B) >= strlen(A)) RTE, terminate; A[ ToInteger(B) ] The contents are returned as a string of length one A[B] = C as a LHS value: if (Type(A) != String || ToInteger(B) >= strlen(A)) Waldbusser, et al. Standards Track [Page 22]
RFC 4011 Policy Based Management MIB March 2005 RTE, terminate; if (strlen(ToString(C)) == 0) RTE, terminate A[ ToInteger(B) ] = First octet of ToString(C) Note that this is only applicable in a simple assignment. For example, in the expression "getVar("ifSpeed.1") < 128000" getVar always returns a string and '128000' is implicitly an integer. The rules for '<' dictate that if either argument is an integer then a 'numeric less than' is performed on ToInteger(A) and ToInteger(B). If "getVar("ifSpeed.1")" returns "64000", the expression can be translated to: ToInteger("64000") < ToInteger(128000); or, 64000 < 128000; or, True 5.3. PolicyScript QuickStart Guide PolicyScript is designed so that programmers fluent in other languages can quickly begin to write scripts. One way to become familiar with a language is to see it in action. The following nonsensical script exercises most of the PolicyScript constructs (though it skips some usage options and many arithmetic operators). var x, index = 7, str = "Hello World", oid = "ifSpeed."; x = 0; while(x < 10){ if (str < "Goodbye") /* string comparison */ continue; else break; x++; } if (oidlen(oid) == 10) oid += "." + index; // append index to oid for(x = 0; x < 7; x++){ str += "a"; Waldbusser, et al. Standards Track [Page 23]
RFC 4011 Policy Based Management MIB March 2005 var y = 12; index = ((x * 7) + y) % 3; if (str[6] == 'W') return index; } return; The following examples are more practical: For a condition: // Return 1 if this is an interface and it is tagged // with the role "gold" return (inSubtree(elementName(), "ifEntry") && roleMatch("gold")) A condition/action pair: First, register the Host Resources MIB hrSWRunEntry as a new element in the pmElementTypeRegTable. This will cause the policy to run for every process on the system. The token '$*' will be replaced by the script interpreter with a process index (see Section 7 for a definition of the '$*' token). The condition: // if it's a process and it's an application and it's // consumed more than 5 minutes of CPU time return (inSubtree(elementName(), "hrSWRunEntry") && getVar("hrSWRunType.$*") == 4 // app, not OS or driver && getVar("hrSWRunPerfCPU.$*") > 30000) // 300 seconds The action: // Kill it setVar("hrSWRunStatus.$*", 4, Integer); // invalid(4) kills it A more substantial action to start an RMON2 host table on interfaces that match the condition: var pdu, index; pdu = newPDU(); writeVar(pdu, 0, "hlHostControlDataSource.*", "ifIndex." + ev(0), Oid); writeVar(pdu, 1, "hlHostControlNlMaxDesiredEntries.*", 1000, Integer); writeVar(pdu, 2, "hlHostControlAlMaxDesiredEntries.*", 1000, Integer); writeVar(pdu, 3, "hlHostControlOwner.*", "policy", String); Waldbusser, et al. Standards Track [Page 24]
RFC 4011 Policy Based Management MIB March 2005 writeVar(pdu, 4, "hlHostControlStatus.*", "active(1)", Integer); if (createRow(pdu, 5, 4, 20, 65535, index) == 0 || index == -1) return; Because PolicyScript is a least common denominator, it contains nothing that would astonish programmers familiar with C, C++, Perl, Tcl, JavaScript, or Python. Although a new programmer may attempt to use language constructs that aren't available in PolicyScript, s/he should be able to understand any existing PolicyScript and will likely know how to use anything that is valid in PolicyScript. The lists below quickly enumerate the changes of note for programmers coming from some particular languages. These lists won't describe the unavailable constructs, but it is easy to see from the definition above what is available. 5.3.1. Quickstart for C Programmers - Character constants (i.e., 'c') are treated as one-character strings, not as integers. So operations such as ('M' - 'A') or (x + 'A') will not perform as expected. - Functions can change the value of arguments even though they are not pointers (or called like '&arg'). - All variables are in the same scope. 5.3.2. Quickstart for Perl Programmers - Comments are '/* comment */' and '// till end of line', not '#'. - No need to put a '$' in front of variables. - Strings are compared with ==, <=, <, etc. (details in Sec. 6.2.1). - Strings are concatenated with '+' (details in Sec. 6.2.1). - No variable substitution in "" strings. '' strings are 1 char only. - Variables must be declared before use (but no type is necessary). - All variables are in the same scope. 5.3.3. Quickstart for TCL Programmers - Comments are '/* comment */' and '// till end of line', not '#'. - No need to put a '$' in front of variables. - Function calls are func-name(arg1, arg2, ...). - Square braces [] don't interpret their contents. - Double quotes "" surround a string, but no substitutions are performed ("" is like { } in TCL ). - Statements are terminated by a semicolon (;). - Instead of "Set a b", use "b = a;". - Strings are concatenated with '+' (details in Sec. 6.2.1). - All variables are in the same scope. Waldbusser, et al. Standards Track [Page 25]
RFC 4011 Policy Based Management MIB March 2005 5.3.4. Quickstart for Python Programmers - Comments are '/* comment */' and '// till end of line', not '#'. - Single quotes can be used only for single-character strings ('a'). - Indentation doesn't matter. Braces { } define blocks. - Variables must be declared before use (but no type is necessary). - The expressions for if and while are always surrounded by parenthesis, as in "if (x < 5)". - 'for' syntax is "for(expression; expression; expression)" (see EBNF). - All variables are in the same scope. 5.3.5. Quickstart for JavaScript/ECMAScript/JScript Programmers - Variables must be declared before use. - Functions can change the value of arguments. - All variables are in the same scope. 5.4. PolicyScript Script Return Values A PolicyScript script execution is normally ended by the execution of a return statement, or by having the flow of execution reach the end of the final statement in the script. A normal script execution always returns a Boolean value. If no explicit value is specified in the return statement, or if the flow of control proceeds through the end of the script, the return value is implicitly zero. If an expression is provided with the return statement, the expression is evaluated, and the result of the expression is implicitly converted with the ToBoolean operator before being returned to the script execution environment. The return value of a policyCondition script is used to determine whether the associated policyAction script is executed. If the returned value is zero, the associated policyAction script is not executed. If the returned value is one, the associated policyAction script will be executed. The return value of a policyAction script is ignored. An RTE or invocation of the fail() function will cause the return value of the script to be set to zero. Note however, that execution of the defer() or fail() functions may set the defer attribute so that the lower precedence script may be executed. This is independent of the return value of the policy script execution. Waldbusser, et al. Standards Track [Page 26]
RFC 4011 Policy Based Management MIB March 2005 6. Index Information for 'this element' PolicyScript code needs a convenient way to get the components of the index for 'this element' so that they can perform SNMP operations on it or on related elements. Two mechanisms are provided. 1. For all OID input parameters to all SNMP Library Functions (but not OID utility functions), the token "$n" ('$' followed by an integer between 0 and 128) can be used in place of any decimal sub-identifier. This token is expanded by the agent at execution time to contain the nth subid of the index for the current element. For example, if the element is interface 7, and the objectIdentifier is "1.3.6.1.2.1.2.2.1.3.$0", it will be expanded to "1.3.6.1.2.1.2.2.1.3.7". The special token "$*" is expanded to contain all of the subidentifiers of the index of the current element, separated by '.' characters. It is an RTE if a token is specified that is beyond the length of the index for the current element. Note that the "$n" convention is only active within strings. 2. The ec() and ev() functions allow access to the components of the index for 'this element'. ec() takes no argument and returns the number of index components that exist. ev() takes an integer argument specifying which component of the index (numbered starting at 0) and returns an integer containing the value of the n'th subidentifier. Refer to the Library functions section for the complete definition of ec() and ev(). For example, if 'this element' is frCircuitDLCI.5.57 (ifIndex = 5, DLCI = 57) then ec() returns 2 ev(0) returns 5 ev(1) returns 57 This is helpful when one wishes to address a related element. Extending the previous example, to find the port speed of the port, the circuit (above) runs over: portSpeed = getVar("ifSpeed." + ev(0)); A script may check the type of 'this element' by calling the elementName() function. Although it is possible to write a script that will work with different types of elements, many scripts will Waldbusser, et al. Standards Track [Page 27]
RFC 4011 Policy Based Management MIB March 2005 assume a particular element type and will work incorrectly if used on different element types. 7. Library Functions Library functions are built-in functions available primarily to provide access to information on the local system or to manipulate this information more efficiently. A group of functions is organized into a library, the unit of conformance for function implementation. In order to claim conformance to a library, an implementation must implement all functions in a library to the specifications of the library. In order for a management station or a condition or action to understand whether a certain library of functions is implemented, each library will have a name that it registers in the role table as a characteristic of the system element ("0.0") in the default SNMP context. Thus, conformance to a library can be tested with the roleMatch library function (in the base library) with the call roleMatch ("libraryName", "0.0"). Note that in the descriptions of these functions below, the function prototype describes the type of argument expected. Even though variables are not declared with a particular type, their contents must be appropriate for each function argument. If the type is variable, the keyword 'var' will be used. If only a string is appropriate, the keyword 'string' will be used. If only an integer is appropriate, the keyword 'integer' will be used. If the argument is declared as 'string' or 'integer' and a value of a different type is passed, the argument will be coerced with ToInteger() or ToString(). Any failure of this coercion will cause an RTE (in particular for ToInteger(), which will fail if its string-valued argument is not a well-formed integer). In the function prototype, if the '&' character precedes the identifier for an argument, that argument may be modified by the function (e.g., "integer &result, ...)"). Arguments without the '&' character cannot be modified by the function. In a script, modifiable arguments don't have to be preceded by a '&'. It is an RTE if a constant is passed to a modifiable function argument (regardless of whether the function actually writes to the argument). In the function prototype, the '[' and ']' characters surround arguments that are optional. In PolicyScript code, the optional argument may only be included if all optional arguments to the left of it are included. The function may place restrictions on when an optional argument must, or must not, be included. Waldbusser, et al. Standards Track [Page 28]
RFC 4011 Policy Based Management MIB March 2005 In the function prototype, if a type is listed before the name of the function, the function returns a value of that type. If no type is listed, the function returns no value. 8. Base Function Library A standard base library of functions is available to all systems that implement this specification. This library is registered with the name "pmBaseFunctionLibrary". Although the specification of this library is modularized into 4 separate sections, conformance to the library requires implementation of all functions in all sections. The sections are: - SNMP library functions - Policy library functions - Utility functions - Library Functions 8.1. SNMP Library Functions Two sets of SNMP Library functions are available with different situations in mind: - Convenience SNMP Functions In an effort to keep simple things simple, these functions are easy to use and code that is easy to understand. These functions will suffice for the majority of situations, where a single variable is referenced and the desired error recovery is simply (and immediately) to give up (and move to the next policy-element combination). In more complex cases, the General SNMP Functions can be used at the cost of several times the code complexity. The convenience SNMP functions are getVar, exists, setVar, setRowStatus, createRow, counterRate, and searchColumn. - General SNMP Functions The General SNMP functions allow nearly any legal SNMP Message to be generated, including those with multiple varbinds, getNext operations, notifications, and messages with explicit addressing or security specifications. The general SNMP functions are writeVar, readVar, snmpSend, readError, and writeBulkParameters. Waldbusser, et al. Standards Track [Page 29]
RFC 4011 Policy Based Management MIB March 2005 8.1.1. SNMP Operations on Non-Local Systems From time to time, a script may have to perform an operation on a different SNMP system than that on which 'this element' resides. Scripts may also have to specify the use of alternate security parameters. In order to do this, the following optional arguments are provided for the SNMP library functions: snmp-function(...[, integer mPModel, string tDomain, string tAddress, integer secModel, string secName, integer secLevel, string contextEngineID ]) For example: getVar("sysDescr.0", "", SNMPv3, "transportDomainUdpIpv4", "192.168.1.1:161", USM, "joe", NoAuthNoPriv); The use of these arguments is denoted in function definitions by the keyword 'NonLocalArgs'. The definitions of these arguments are as follows: 'mPModel' is the integer value of the SnmpMessageProcessingModel to use for this operation. 'tDomain' is a string containing an ASCII dotted-decimal object identifier representing the transport domain to use for this operation. 'tAddress' is a string containing the transport address formatted according to the 'tDomain' argument. The ASCII formats for various values of 'tDomain' are defined by the DISPLAY-HINT for a TEXTUAL-CONVENTION that represents an address of that type. The DISPLAY-HINTs used are: tDomain Source of DISPLAY-HINT [5] [11] ------- ---------------------- transportDomainUdpIpv4 TransportAddressIPv4 transportDomainUdpIpv6 TransportAddressIPv6 transportDomainUdpDns TransportAddressDns snmpCLNSDomain snmpOSIAddress snmpCONSDomain snmpOSIAddress snmpDDPDomain snmpNBPAddress snmpIPXDomain snmpIPXAddress rfc1157Domain snmpUDPAddress Other Use DISPLAY-HINT "1x:" Waldbusser, et al. Standards Track [Page 30]
RFC 4011 Policy Based Management MIB March 2005 'secModel' is the integer value of the SnmpSecurityModel to use for this operation. 'secName' is a string value representing the SnmpSecurityName to use for this operation. 'secLevel' is the integer value of the SnmpSecurityLevel to use for this operation. An SNMP operation will be sent to the target system by using security parameters retrieved from a local configuration datastore based on 'secModel', 'secName', and 'secLevel'. It is the responsibility of the agent to ensure that sensitive information in the local configuration datastore is used on behalf of the correct principals, as identified by the security credentials of the last entity to modify the pmPolicyAdminStatus for a policy. To illustrate how this must be configured, consider an example in which 'joe' installs a policy on 'PMAgent' that will periodically configure objects on 'TargetAgent' with the credentials of 'Operator'. The following conditions must be true for this policy to execute with the proper privileges: - 'Operator's security credentials for TargetAgent must be installed in PMAgent's local configuration datastore (e.g., usmUserTable [6]) indexed by TargetAgent's engineID and 'Operator'. - VACM [9] must be configured on PMAgent so that 'joe' has access to the above entry in the appropriate MIB for the local configuration datastore (e.g., usmUserTable). - 'joe' must be the last user to modify the pmPolicyAdminStatus object for the policy. See the Security Considerations section for more information. For convenience, constants for 'mPModel', 'secModel', and 'secLevel' are defined in the "Constants" section below. 'contextEngineID' is a string representing the contextEngineID of the SNMP entity targeted by this operation. It is encoded as a pair of hex digits (upper- and lowercase are valid) for each octet of the contextEngineID. If 'tDomain' and 'tAddress' are provided but 'contextEngineID' is not, then the operation will be directed to the SNMP entity reachable at 'tDomain' and 'tAddress'. In order for PolicyScript code to use any of these arguments, all optional arguments to the left must be included. 'mPModel', 'tDomain', 'tAddress', 'secModel', 'secName', and 'secLevel' must Waldbusser, et al. Standards Track [Page 31]
RFC 4011 Policy Based Management MIB March 2005 be used as a group; if one is specified, they must all be. 'contextEngineID' may only be specified if all others are specified. Note that a function that uses NonLocalArgs must provide a parameter for the contextName that will be required when the NonLocalArgs are present. Many functions will have the following logic: ContextName NonLocalArgs Supplied Supplied No No Addressed to default context on local system. Yes No Addressed to named context on local system. Yes Yes Addressed to named context on potentially remote system. No Yes Not allowed. 8.1.2. Form of SNMP Values Many of the library functions have input or output parameters that may be one of the many SMI data types. The actual type is not encoded in the value but is specified elsewhere, possibly by nature of the situation in which it is used. The exact usage for input and output is as follows: Any Integer value (INTEGER, Integer32, Counter32, Counter64, Gauge32, Unsigned32, TimeTicks, Counter64): On input: An Integer or a String that can be successfully coerced to an Integer with the ToInteger() operator. It is an RTE if a string is passed that cannot be converted by ToInteger() into an integer. A string of the form enum_decimal: [ letter | digit | '-' ]* '(' decimal_constant ')' will also be accepted. In this case the sequence of characters before the parentheses and the parentheses themselves are completely ignored, and the decimal_constant inside the parentheses is converted. Thus, "frame-relay(32)" translates to the integer 32. Waldbusser, et al. Standards Track [Page 32]
RFC 4011 Policy Based Management MIB March 2005 On output: An Integer containing the returned value. Octet String On input: Either a String or an Integer. If an Integer, it will be coerced to a String with the ToString() function. This string will be used as an unencoded representation of the octet string value. On output: A String containing the unencoded value of the octet string. Object Identifier On input and on output: A String containing a decimal ASCII encoded object identifier of the following form: oid: subid [ '.' subid ]* [ '.' ] subid: '0' | decimal_constant It is an RTE if an Object Identifier argument is not in the form above. Note that a trailing '.' is acceptable and will simply be ignored. (Note, however, that a trailing dot could cause a strncmp() comparison of two otherwise-identical OIDs to fail; instead, use oidncmp().) Note that ASCII descriptors (e.g., "ifIndex") are never used in these encodings "over the wire". They are never returned from library functions; nor are they ever accepted by them. NMS user interfaces are encouraged to allow humans to view object identifiers with ASCII descriptors, but they must translate those descriptors to dotted-decimal format before sending them in MIB objects to policy agents. Null On input: The input is ignored. On output: A zero length string. Waldbusser, et al. Standards Track [Page 33]
RFC 4011 Policy Based Management MIB March 2005 8.1.3. Convenience SNMP Functions 8.1.3.1. getVar() The getVar() function is used to retrieve the value of an SNMP MIB object instance. string getVar(string oid [, string contextName, NonLocalArgs]) 'oid' is a string containing an ASCII dotted-decimal representation of an object identifier (e.g., "1.3.6.1.2.1.1.1.0"). The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero-length string, the default context is used. The optional 'NonLocalArgs' provide addressing and security information to perform an SNMP operation on a system different from that of 'this element'. It is an RTE if the queried object identifier value does not exist. This function returns a string containing the returned value, encoded according to the returned type. Note that no actual SNMP PDU has to be generated and parsed when the policy MIB agent resides on the same system as the managed elements. It is recommended that NMS user interfaces display and allow input of MIB object names by their descriptor values, followed by the index in dotted-decimal form (e.g., "ifType.7"). 8.1.3.2. exists() The exists() function is used to verify the existence of an SNMP MIB object instance. integer exists(string oid [, string contextName, NonLocalArgs]) 'oid' is a string containing an ASCII dotted-decimal representation of an object identifier (e.g., "1.3.6.1.2.1.1.1.0"). Waldbusser, et al. Standards Track [Page 34]
RFC 4011 Policy Based Management MIB March 2005 The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero-length string, the default context is used. The optional 'NonLocalArgs' provide addressing and security information to perform an SNMP operation on a system different from that of 'this element'. This function returns the value 1 if the SNMP instance exists and 0 if it doesn't exist. Note that no actual SNMP PDU has to be generated and parsed when the policy MIB agent resides on the same system as the managed elements. It is recommended that NMS user interfaces display and allow input of MIB object names by their descriptor values, followed by the index in dotted-decimal form (e.g., "ifType.7"). 8.1.3.3. setVar() The setVar() function is used to set a MIB object instance to a certain value. The setVar() function is only valid in policyActions. setVar(string oid, var value, integer type [, string contextName, NonLocalArgs] ) 'oid' is a string containing an ASCII dotted-decimal representation of an object identifier (e.g., "1.3.6.1.2.1.1.1.0"). 'value' is a string encoded in the format appropriate to the 'type' parameter. The agent will set the variable specified by 'oid' to the value specified by 'value'. 'type' will be the type of the 'value' parameter and will be set to one of the values for DataType Constants. The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero length string, the default context is used. The optional 'NonLocalArgs' provide addressing and security information to perform an SNMP operation on a system different from that of 'this element'. Note that no actual SNMP PDU has to be generated and parsed when the policy MIB agent resides on the same system as the managed elements. Waldbusser, et al. Standards Track [Page 35]
RFC 4011 Policy Based Management MIB March 2005 It is an RTE if the set encounters any error. It is recommended that NMS user interfaces display and allow input of MIB object names by their descriptor values, followed by the index in dotted-decimal form (e.g., "ifType.7"). 8.1.3.4. searchColumn() integer searchColumn(string columnoid, string &oid, string pattern, integer mode [, string contextName, NonLocalArgs]) searchColumn performs an SNMP walk on a portion of the MIB searching for objects with values equal to the 'pattern' parameter. 'columnoid' constrains the search to those variables that share the same OID prefix (i.e., those that are beneath it in the OID tree). A getnext request will be sent requesting the object identifier 'oid'. If 'oid' is an empty string, the value of 'columnoid' will be sent. The value returned in each response packet will be transformed to a string representation of the value of the returned variable. The string representation of the value will be formed by putting the value in the form dictated by the "Form of SNMP Values" rules, and then by performing the ToString() function on this value, forming 'SearchString'. The 'mode' value controls what type of match to perform on this 'SearchString' value. There are 6 possibilities for mode: Mode Search Action ExactMatch Case sensitive exact match of 'pattern' and 'SearchString'. ExactCaseMatch Case insensitive exact match of 'pattern' and 'SearchString'. SubstringMatch Case sensitive substring match, finding 'pattern' in 'SearchString'. SubstringCaseMatch Case insensitive substring match, finding 'pattern' in 'SearchString'. RegexpMatch Case sensitive regular expression match, searching 'SearchString' for the regular expression given in 'pattern'. Waldbusser, et al. Standards Track [Page 36]
RFC 4011 Policy Based Management MIB March 2005 RegexpCaseMatch Case insensitive regular expression match, searching 'SearchString' for the regular expression given in 'pattern'. Constants for the values of 'mode' are defined in the 'Constants' section below. searchColumn uses the POSIX extended regular expressions defined in POSIX 1003.2. The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero-length string, the default context is used. The optional 'NonLocalArgs' provide addressing and security information to perform SNMP operations on a system different from that of 'this element'. If a match is found, 'oid' is set to the OID of the matched value, and 1 is returned. If the search traverses beyond columnoid or returns an error without finding a match, zero is returned, and 'oid' isn't modified. To find the first match, the caller should set 'oid' to the empty string. To find additional matches, subsequent calls to searchColumn should have 'oid' set to the OID of the last match, an operation that searchColumn performs automatically. For example: To find an ethernet interface oid = ""; searchColumn("ifType", oid, "6", 0); This sends a getnext request for ifType and continues to walk the tree until a value matching 6 is found or a variable returns that is not in the 'ifType' subtree. To find the next ethernet interface, assuming that interface 3 was discovered to be the first: oid = "ifType.3"; searchColumn("ifType", oid, "6", 0); Waldbusser, et al. Standards Track [Page 37]
RFC 4011 Policy Based Management MIB March 2005 In a loop to determine all the ethernet interfaces, this looks as follows: oid = ""; while(searchColumn("ifType", oid, "6", 0)){ /* Do something with oid */ } Note that in the preceding examples, "ifType" is used as a notational convenience, and the actual code downloaded to the policy MIB agent must use the string "1.3.6.1.2.1.2.2.1.3" as there may be no MIB compiler (or MIB file) available on the policy MIB agent. Note that if the value of 'columnoid' is too short and thus references too much of the object identifier tree (e.g., "1.3.6"), 'columnoid' could end up searching a huge number of variables (if the value was "1.3.6", it would search ALL variables on the agent). It is the responsibility of the caller to make sure that 'columnoid' is set appropriately. 8.1.3.5. setRowStatus() integer setRowStatus(string oid, integer maxTries [, integer freeOnException , integer seed , string contextName, NonLocalArgs]) setRowStatus is used to automate the process of finding an unused row in a read-create table that uses RowStatus whose index contains an arbitrary integer component for uniqueness. 'oid' is a string containing an ASCII dotted-decimal representation of an object identifier, with one of the subids replaced with a '*' character (e.g., "1.3.6.1.3.1.99.1.2.1.9.*"). 'oid' must reference an 'instance' of the RowStatus object, and the '*' must replace any integer index item that may be set to some random value. setRowStatus will come up with a number for the selected index item and will attempt to create the instance with the createAndWait state. If the attempt fails, it will retry with a different random index value. It will attempt this no more than 'maxTries' times. If the optional 'freeOnException' argument is present and equal to 1, the agent will free this row by setting RowStatus to 'destroy' if, later in the same script invocation, this script Waldbusser, et al. Standards Track [Page 38]
RFC 4011 Policy Based Management MIB March 2005 dies with a run-time exception or by a call to fail(). Note that this does not apply to exceptions experienced in subsequent invocations of the script. If the optional 'seed' argument is present, the initial index will be set to 'seed'. Otherwise it will be random. 'seed' may not be present if the 'freeOnException' argument is not present. The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero-length string, the default context is used. The optional 'NonLocalArgs' provide addressing and security information to perform an SNMP operation on a system different from that of 'this element'. setRowStatus returns the successful integer value for the index. If it is unsuccessful after 'maxTries', or if zero or more than one '*' is in OID, -1 will be returned. The createRow function (below) can also be used when adding rows to tables. Although createRow has more functionality, setRowStatus may be preferable in certain situations (for example, to have the opportunity to inspect default values created by the agent). 8.1.3.6. createRow() integer createRow(integer reqPDU, integer reqNumVarbinds, integer statusColumn, integer maxTries, integer indexRange, integer &respPDU, integer &respNumVarbinds, integer &index [, integer freeOnException, string contextName, NonLocalArgs]) createRow is used to automate the process of creating a row in a read-create table whose index contains an arbitrary integer component for uniqueness. In particular, it encapsulates the algorithm behind either the createAndWait or createAndGo mechanism and the algorithm for finding an unused row in the table. createRow is not useful for creating rows in tables whose indexes don't contain an arbitrary integer component. createRow will perform the operation by sending 'reqPDU' and returning the results in 'respPDU'. Both 'reqPDU' and Waldbusser, et al. Standards Track [Page 39]
RFC 4011 Policy Based Management MIB March 2005 'respPDU' must previously have been allocated with newPDU. 'reqPDU' and 'respPDU' may both contain the same PDU handle, in which case the 'reqPDU' is sent and then replaced with the contents of the received PDU. 'reqNumVarbinds' is an integer greater than zero that specifies which varbinds in the PDU will be used in this operation. The first 'reqNumVarbinds' in the PDU are used. Each such varbind must be of a special form in which the object name must have one of its subids replaced with a '*' character (e.g., "1.3.6.1.3.1.99.1.2.1.9.*"). The subid selected to be replaced will be an integer index item that may be set to some random value. The same subid should be selected in each varbind in the PDU. 'respNumVarbinds' will be modified to contain the number of varbinds received in the last response PDU. 'statusColumn' identifies which varbind in 'pdu' should be treated as the RowStatus column, where 0 identifies the 1st varbind. createRow will come up with a random integer index value and will substitute that value in place of the '*' subid in each varbind. It will then set the value of the RowStatus column to select the 'createAndGo' mechanism and execute the set. If the attempt fails due to the unavailability of the 'createAndGo' mechanism, it will retry with the 'createAndWait' mechanism selected. If the attempt fails because the chosen index value is already in use, the operation will be retried with a different random index value. It will continue to retry different index values until it succeeds, until it has made 'maxTries' attempts, or until it encounters an error. The value of 'maxTries' should be chosen to be high enough to minimize the chance that as the table fills up an attempt to create a new entry will 'collide' too often and fail. All random index values must be between 1 and 'indexRange', inclusive. This is so that values are not attempted for an index that fall outside of that index's restricted range (e.g., 1..65535). If the optional 'freeOnException' argument is present and equal to 1, the agent will free this row by setting RowStatus to 'destroy' if, later in the same script invocation, this script dies with a run-time exception or by a call to fail(). Note that this does not apply to exceptions experienced in subsequent invocations of the script. Waldbusser, et al. Standards Track [Page 40]
RFC 4011 Policy Based Management MIB March 2005 The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero-length string, the default context is used. The optional 'NonLocalArgs' provide addressing and security information to perform an SNMP operation on a system different from that of 'this element'. Note that no actual SNMP PDU has to be generated and parsed when the policy MIB agent resides on the same system as the managed elements. If no PDU is generated, the agent must correctly simulate the behavior of the SNMP Response PDU, particularly in case of an error. This function returns zero unless an error occurs, in which case it returns the proper SNMP Error Constant. If an error occurred, respPDU will contain the last response PDU as received from the agent unless no response PDU was received, in which case respNumVarbinds will be 0. In any event, readError may be called on the PDU to determine error information for the transaction. The 'index' parameter returns the chosen index. If successful, 'index' will be set to the successful integer index. If no SNMP error occurs but the operation does not succeed due to the following reasons, 'index' will be set to -1: 1) Unsuccessful after 'maxTries'. 2) An object name had no '*' in it. 3) An object name had more than one '*' in it. For example, createRow() might be used as follows: var index, pdu = newPDU(), nVars = 0; writeVar(pdu, nVars++, "hlHostControlDataSource.*", "ifIndex." + ev(0), Oid); writeVar(pdu, nVars++, "hlHostControlNlMaxDesiredEntries.*", 1000, Integer); writeVar(pdu, nVars++, "hlHostControlAlMaxDesiredEntries.*", 1000, Integer); writeVar(pdu, nVars++, "hlHostControlOwner.*", "policy", String); writeVar(pdu, nVars++, "hlHostControlStatus.*", "active(1)", Integer); if (createRow(pdu, nVars, 4, 20, 65535, pdu, nVars, index) != 0 Waldbusser, et al. Standards Track [Page 41]
RFC 4011 Policy Based Management MIB March 2005 || index == -1) return; // index now contains index of new row 8.1.3.7. counterRate() When a policy wishes to make a decision based on the rate of a counter, it faces a couple of problems: 1. It may have to run every X minutes but have to make decisions on rates calculated over at least Y minutes, where Y > X. This would require the complexity of managing a queue of old counter values. 2. The policy script has no control over exactly when it will run. The counterRate() function is designed to surmount these problems easily. integer counterRate(string oid, integer minInterval [, integer 64bit, string discOid, integer discMethod, string contextName, NonLocalArgs]) 'counterRate' retrieves the variable specified by oid once per invocation. It keeps track of timestamped values retrieved on previous invocations by this execution context so that it can calculate a rate over a period longer than that since the last invocation. 'oid' is the object identifier of the counter value that will be retrieved. The most recent previously saved value of the same object identifier that is at least 'minInterval' seconds old will be subtracted from the newly retrieved value, yielding a delta. If 'minInterval' is zero, this delta will be returned. Otherwise, this delta will be divided by the number of seconds elapsed between the two retrievals, and the integer-valued result will be returned (rounding down when necessary). If there was no previously saved retrieval older than 'minInterval' seconds, then -1 will be returned. It is an RTE if the query returns noSuchName, noSuchInstance, or noSuchObject or an object that is not of type Counter32 or Counter64. Waldbusser, et al. Standards Track [Page 42]
RFC 4011 Policy Based Management MIB March 2005 The delta calculation will allow for 32-bit counter semantics if it encounters rollover between the two retrievals, unless the optional argument '64bit' is present and equal to 1, in which case it will allow for 64-bit counter semantics. 'discOid' and 'discMethod' may only be present together. 'discOid' contains an object identifier of a discontinuity indicator value that will be retrieved simultaneously with each counter value: 1. If 'discMethod' is equal to 1 and the discontinuity indicator is less than the last one retrieved, then a discontinuity is indicated. 2. If 'discMethod' is equal to 2 and the discontinuity indicated is different from the last one retrieved, then a discontinuity is indicated. If this value indicates a discontinuity, this counter value (and its timestamp) will be stored, but all previously stored counter values will be invalidated and -1 will be returned. The implementation will have to store a number of timestamped counter values. The implementation must keep all values that are newer than minInterval seconds, plus the newest value that is older than minInterval seconds. Other than this one value that is older than minInterval seconds, the implementation should discard any older values. For example: Policy that executes every 60 seconds: rate = counterRate("ifInOctets.$*", 300); if (rate > 1000000) ... Another example, with a discontinuity indicator: Policy that executes every 60 seconds: rate = counterRate("ifInOctets.$*", 300, 0, "sysUpTime.0", 1); if (rate > 1000000) ... Another example, with zero minInterval: Policy that executes every 60 seconds: delta = counterRate("ifInErrors.$*", 0); if (delta > 100) ... Waldbusser, et al. Standards Track [Page 43]
RFC 4011 Policy Based Management MIB March 2005 The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero-length string, the default context is used. 8.1.4. General SNMP Functions It is desirable that a general SNMP interface have the ability to perform SNMP operations on multiple variables at once and that it allow multiple varbind lists to exist at once. The newPdu, readVar, and writeVar functions exist to provide these facilities in a language without pointers, arrays, and memory allocators. newPDU is called to allocate a PDU and return an integer handle to it. As PDUs are automatically freed when the script exits and can be reused during execution, there is no freePDU(). readVar and writeVar access a variable length varbind list for a PDU. The PDU handle and the index of the variable within that PDU are specified in every readVar and writeVar operation. Once a PDU has been fully specified by one or more calls to writeVar, it is passed to snmpSend (by referencing the PDU handle) and the number of varbinds to be included in the operation. When a response is returned, the contents of the response are returned in another PDU and may be read by one or more calls to readVar. Error information may be read from the PDU with the readError function. Because GetBulk PDUs send additional information in the SNMP header, the writeBulkParameters function is provided to configure these parameters. Varbinds in this data store are created automatically whenever they are written by any writeVar or snmpSend operation. For example: var pdu = newPDU(); var nVars = 0, oid, type, value; writeVar(pdu, nVars++, "sysDescr.0", "", Null); writeVar(pdu, nVars++, "sysOID.0", "", Null); writeVar(pdu, nVars++, "ifNumber.0", "", Null); if (snmpSend(pdu, nVars, Get, pdu, nVars)) return; readVar(pdu, 0, oid, value, type); readVar(pdu, 1, oid, value, type); readVar(pdu, 2, oid, value, type); ... Waldbusser, et al. Standards Track [Page 44]
RFC 4011 Policy Based Management MIB March 2005 or, var pdu = newPDU(); var nVars = 0, oid1, oid2; writeVar(pdu, nVars++, "ifIndex", "", Null); writeVar(pdu, nVars++, "ifType", "", Null); while(!done){ if (snmpSend(pdu, nVars, Getnext, pdu, nVars)) continue; readVar(pdu, 0, oid1, value, type); readVar(pdu, 1, oid2, value, type); /* leave OIDs alone, now PDU #0 is set up for next step in table walk. */ if (oidncmp(oid1, "ifIndex", oidlen("ifIndex"))) done = 0; ... } Note that in the preceding examples, descriptors such as ifType and sysDescr are used in object identifiers solely as a notational convenience. The actual code downloaded to the policy MIB agent must use a dotted decimal notation only, as there may be no MIB compiler (or MIB file) available on the policy MIB agent. To conform to this specification, implementations must allow each policy script invocation to allocate at least 5 PDUs with at least 64 varbinds per list. It is suggested that implementations limit the total number of PDUs per invocation to protect other script invocations from a malfunctioning script (e.g., a script that calls newPDU() in a loop). 8.1.4.1. newPDU() integer newPDU() newPDU will allocate a new PDU and return a handle to the PDU. If no PDU could be allocated, -1 will be returned. The PDU's initial values of nonRepeaters and maxRepetitions will be zero. 8.1.4.2. writeVar() writeVar(integer pdu, integer varBindIndex, string oid, var value, integer type) writeVar will store 'oid', 'value', and 'type' in the specified varbind. 'pdu' is the handle to a PDU allocated by newPDU(). Waldbusser, et al. Standards Track [Page 45]
RFC 4011 Policy Based Management MIB March 2005 'varBindIndex' is a non-negative integer that identifies the varbind within the specified PDU modified by this call. The first varbind is number 0. 'oid' is a string containing an ASCII dotted-decimal representation of an object identifier (e.g., "1.3.6.1.2.1.1.1.0"). 'value' is the value to be stored, of a type appropriate to the 'type' parameter. 'type' will be the type of the value parameter and will be set to one of the values for DataType Constants. It is an RTE if any of the parameters don't conform to the rules above. 8.1.4.3. readVar() readVar(integer pdu, integer varBindIndex, string &oid, var &value, integer &type) readVar will retrieve the oid, the value, and its type from the specified varbind. 'pdu' is the handle to a PDU allocated by newPDU(). 'varBindIndex' is a non-negative integer that identifies the varbind within the specified PDU read by this call. The first varbind is number 0. The object identifier value of the referenced varbind will be copied into the 'oid' parameter, formatted in an ASCII dotted- decimal representation (e.g., "1.3.6.1.2.1.1.1.0"). 'value' is the value retrieved, of a type appropriate to the 'type' parameter. 'type' is the type of the value parameter and will be set to one of the values for DataType Constants. It is an RTE if 'pdu' doesn't reference a valid PDU or 'varBindIndex' doesn't reference a valid varbind. Waldbusser, et al. Standards Track [Page 46]
RFC 4011 Policy Based Management MIB March 2005 8.1.4.4. snmpSend() integer snmpSend(integer reqPDU, integer reqNumVarbinds, integer opcode, integer &respPDU, integer &respNumVarbinds, [, string contextName , NonLocalArgs] ) snmpSend will perform an SNMP operation by sending 'reqPDU' and returning the results in 'respPDU'. Both 'reqPDU' and 'respPDU' must previously have been allocated with newPDU. 'reqPDU' and 'respPDU' may both contain the same PDU handle, in which case the 'reqPDU' is sent and then replaced with the contents of the received PDU. If the opcode specifies a Trap or V2trap, 'respPDU' will not be modified. 'reqNumVarbinds' is an integer greater than zero that specifies which varbinds in the PDU will be used in this operation. The first 'reqNumVarbinds' in the PDU are used. 'respNumVarbinds' will be modified to contain the number of varbinds received in the response PDU, which, in the case of GetBulk or an error, may be substantially different from reqNumVarbinds. 'opcode' is the type of SNMP operation to perform and must be one of the values for SNMP Operation Constants listed in the 'Constants' section below. The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero-length string, the default context is used. Note that no actual SNMP PDU has to be generated and parsed when the policy MIB agent resides on the same system as the managed elements. If no PDU is generated, the agent must correctly simulate the behavior of the SNMP Response PDU, particularly in case of an error. This function returns zero unless an error occurs, in which case it returns the proper SNMP Error Constant. If an error occurred, respPDU will contain the response PDU as received from the agent, unless no response PDU was received, in which case respNumVarbinds will be 0. In any event, readError may be called on the PDU to determine error information for the transaction. If an SNMP Version 1 trap is requested (the opcode is Trap(4)), then SNMP Version 2 trap parameters are supplied and converted according to the rules of RFC 3584 [8], section 3.2. The first Waldbusser, et al. Standards Track [Page 47]
RFC 4011 Policy Based Management MIB March 2005 variable binding must be sysUpTime.0, and the second must be snmpTrapOID.0, as per RFC 3416 [7], section 4.2.6. Subsequent variable bindings are copied to the SNMP Version 1 trap PDU in the usual fashion. 8.1.4.5. readError() readError(integer pdu, integer numVarbinds, integer &errorStatus, integer &errorIndex, integer &hasException) Returns the error information in a PDU. 'errorStatus' contains the error-status field from the response PDU or a local error constant if the error was generated locally. If no error was experienced or no PDU was ever copied into this PDU, this value will be 0. 'errorIndex' contains the error-index field from the response PDU. If no PDU was ever copied into this PDU, this value will be 0. 'hasException' will be 1 if any of the first 'numVarbinds' varbinds in the PDU contain an exception (Nosuchobject, Nosuchinstance, Endofmibview); otherwise it will be 0. It is an RTE if 'pdu' does not reference a valid PDU or if 'numVarbinds' references varbinds that aren't valid. 8.1.4.6. writeBulkParameters() writeBulkParameters(integer pdu, integer nonRepeaters, integer maxRepetitions) Modifies the parameters in a PDU in any subsequent GetBulk operation sent by the PDU. 'nonRepeaters' will be copied into the PDU's non-repeaters field, and 'maxRepetitions' into the max-repetitions field. This function may be called before or after writeVar is called to add varbinds to the PDU, but it must be called before the PDU is sent; otherwise, it will have no effect. A new PDU is initialized with nonRepeaters set to zero and maxRepetitions set to zero. If a Bulk PDU is sent before writeBulkParameters is called, these default values will be used. If writeBulkParameters is called to modify a PDU, it is acceptable if this PDU is later sent as a type other than bulk. The writeBulkParameters call will only affect subsequent sends of Bulk PDUs. If a PDU is used to receive the contents of a Waldbusser, et al. Standards Track [Page 48]
RFC 4011 Policy Based Management MIB March 2005 response, the values of nonRepeaters and maxRepetitions are never modified. 8.1.5. Constants for SNMP Library Functions The following constants are defined for use with all SNMP Library Functions. Policy code will be executed in an environment where the following constants are declared. (Note that the constant declarations below will not be visible in the policyCondition or policyAction code.) These constants are reserved words and cannot be used for any variable or function name. Although these declarations are expressed here as C 'const's, the 'const' construct itself is not available to be used in policy code. // Datatype Constants // From RFC 2578 [2] const integer Integer = 2; const integer Integer32 = 2; const integer String = 4; const integer Bits = 4; const integer Null = 5; const integer Oid = 6; const integer IpAddress = 64; const integer Counter32 = 65; const integer Gauge32 = 66; const integer Unsigned32 = 66; const integer TimeTicks = 67; const integer Opaque = 68; const integer Counter64 = 70; // SNMP Exceptions from RFC 3416 [7] const integer NoSuchObject = 128; const integer NoSuchInstance = 129; const integer EndOfMibView = 130; // SNMP Error Constants from RFC 3416 [7] const integer NoError = 0; const integer TooBig = 1; const integer NoSuchName = 2; const integer BadValue = 3; const integer ReadOnly = 4; const integer GenErr = 5; const integer NoAccess = 6; const integer WrongType = 7; const integer WrongLength = 8; const integer WrongEncoding = 9; Waldbusser, et al. Standards Track [Page 49]
RFC 4011 Policy Based Management MIB March 2005 const integer WrongValue = 10; const integer NoCreation = 11; const integer InconsistentValue = 12; const integer ResourceUnavailable = 13; const integer CommitFailed = 14; const integer UndoFailed = 15; const integer AuthorizationError = 16; const integer NotWritable = 17; const integer InconsistentName = 18; // "Local" Errors // These are also possible choices for errorStatus returns // For example: unknown PDU, maxVarbinds is bigger than number // written with writeVar, unknown opcode, etc. const integer BadParameter = 1000; // Request would have created a PDU larger than local limitations const integer TooLong = 1001; // A response to the request was received but errors were encountered // when parsing it. const integer ParseError = 1002; // Local system has complained of an authentication failure const integer AuthFailure = 1003; // No valid response was received in a timely fashion const integer TimedOut = 1004; // General local failure including lack of resources const integer GeneralFailure = 1005; // SNMP Operation Constants from RFC 3416 [7] const integer Get = 0; const integer Getnext = 1; const integer Set = 3; const integer Trap = 4; const integer Getbulk = 5; const integer Inform = 6; const integer V2trap = 7; // Constants from RFC 3411 [1] for SnmpMessageProcessingModel const integer SNMPv1 = 0; const integer SNMPv2c = 1; const integer SNMPv3 = 3; Waldbusser, et al. Standards Track [Page 50]
RFC 4011 Policy Based Management MIB March 2005 // Constants from RFC 3411 [1] for SnmpSecurityModel const integer SNMPv1 = 1; const integer SNMPv2c = 2; const integer USM = 3; // SnmpSecurityLevel Constants from RFC 3411 [1] const integer NoAuthNoPriv = 1; const integer AuthNoPriv = 2; const integer AuthPriv = 3; // Constants for use with searchColumn const integer ExactMatch = 0; const integer ExactCaseMatch = 1; const integer SubstringMatch = 2; const integer SubstringCaseMatch = 3; const integer RegexpMatch = 4; const integer RegexpCaseMatch = 5; 8.2. Policy Library Functions Policy Library Functions provide access to information specifically related to the execution of policies. 8.2.1. elementName() The elementName() function is used to determine what the current element is and can be used to provide information about the type of element and how it is indexed. string elementName() elementName returns a string containing an ASCII dotted-decimal representation of an object identifier (e.g., 1.3.6.1.2.1.1.1.0). This object identifier identifies an instance of a MIB object that is an attribute of 'this element'. 8.2.2. elementAddress() elementAddress(&tDomain, &tAddress) elementAddress finds a domain/address pair that can be used to access 'this element' and returns the values in 'tDomain' and 'tAddress'. Waldbusser, et al. Standards Track [Page 51]
RFC 4011 Policy Based Management MIB March 2005 8.2.3. elementContext() string elementContext() elementContext() returns a string containing the SNMP contextName of 'this element'. 8.2.4. ec() The ec() (element count) and ev() (element value) functions provide convenient access to the components of the index for 'this element'. Typical uses will be in creating the index to other, related elements. integer ec() ec() returns an integer count of the number of index subidentifiers that exist in the index for 'this element'. 8.2.5. ev() integer ev(integer n) ev() returns the value of the nth subidentifier in the index for 'this element'. The first subidentifier is indexed at 0. It is an RTE if n specifies a subidentifier beyond the last subidentifier. 8.2.6. roleMatch() The roleMatch() function is used to check whether an element has been assigned a particular role. integer roleMatch(string roleString [, string element, string contextName, string contextEngineID]) 'roleString' is a string. The optional argument 'element' contains the OID name of an element, defaulting to the current element if 'element' is not supplied. If roleString exactly matches (content and length) any role assigned to the specified element, the function returns 1. If no roles match, the function returns 0. The optional 'contextName' argument contains the SNMP context on which to operate. If 'contextName' is not present, the contextName of 'this element' will be used. If 'contextName' is the zero-length string, the default context is used. Waldbusser, et al. Standards Track [Page 52]
RFC 4011 Policy Based Management MIB March 2005 'contextEngineID' contains the contextEngineID of the remote system on which 'element' resides. It is encoded as a pair of hex digits (upper- and lowercase are valid) for each octet of the contextEngineID. If 'contextEngineID' is not present, the contextEngineID of 'this element' will be used. 'contextEngineID' may only be present if the 'element' and 'context' arguments are present. 8.2.7. Scratchpad Functions Every maxLatency time period, every policy runs once for each element. When the setScratchpad function executes, it stores a value named by a string that can be retrieved with getScratchpad() even after this policy execution code exits. This allows sharing of data between a condition and an action, two conditions executing on different elements, or even different policies altogether. The value of 'scope' controls which policy/element combinations can retrieve this 'varName'/'value' pair. The following are options for 'scope': Global The 'varName'/'value' combination will be available in the condition or action of any policy while it is executing on any element. Note that any information placed here will be visible to all other scripts on this system regardless of their authority. Sensitive information should not be placed in global scratchpad variables. Policy The 'varName'/'value' combination will be available in any future execution of the condition or action of the current policy (regardless of what element the policy is executing on). If a policy is ever deleted, or if its condition or action code is modified, all values in its 'Policy' scope will be deleted. PolicyElement The 'varName'/'value' combination will be available in future executions of the condition or action of the current policy, but only when the policy is executing on the current element. If a policy is ever deleted, or if its condition or action code is modified, all values in its 'PolicyElement' scope will be deleted. The agent may also periodically delete values in a 'PolicyElement' scope if the corresponding element does not exist (in other words, if an element disappears for a period and reappears, values in its 'PolicyElement' scope may or may not be deleted). Waldbusser, et al. Standards Track [Page 53]
RFC 4011 Policy Based Management MIB March 2005 setScratchpad's 'storageType' argument allows the script to control the lifetime of a variable stored in the scratchpad. If the storageType is equal to the constant 'volatile', then this variable must be deleted on a reboot. If it is equal to 'nonVolatile', then this variable should be stored in non-volatile storage, where it will be available after a reboot. If the 'storageType' argument is not present, the variable will be volatile and will be erased on reboot. If the optional 'freeOnException' argument is present and equal to 1, the agent will free this variable if, later in the same script invocation, this script dies with a run-time exception or by a call to fail(). (Note that this does not apply to exceptions experienced in subsequent invocations of the script.) Note that there may be implementation-specific limits on the number of scratchpad variables that can be allocated. The limit of unique scratchpad variables may be different for each scope or storageType. It is suggested that implementations limit the total number of scratchpad variables per script to protect other scripts from a malfunctioning script. In addition, compliant implementations must support at least 50 Global variables, 5 Policy variables per policy, and 5 PolicyElement variables per policy-element pair. Scratchpad Usage Examples Policy Element Action A ifIndex.1 setScratchpad(Global, "foo", "55") A ifIndex.1 getScratchpad(Global, "foo", val) --> 55 A ifIndex.2 getScratchpad(Global, "foo", val) --> 55 B ifIndex.2 getScratchpad(Global, "foo", val) --> 55 B ifIndex.2 setScratchpad(Global, "foo", "16") A ifIndex.1 getScratchpad(Global, "foo", val) --> 16 Policy Element Action A ifIndex.1 setScratchpad(Policy, "bar", "75") A ifIndex.1 getScratchpad(Policy, "bar", val) --> 75 A ifIndex.2 getScratchpad(Policy, "bar", val) --> 75 B ifIndex.1 getScratchpad(Policy, "bar", val) not found B ifIndex.1 setScratchpad(Policy, "bar", "20") A ifIndex.2 getScratchpad(Policy, "bar", val) --> 75 B ifIndex.2 getScratchpad(Policy, "bar", val) --> 20 Policy Element Action A ifIndex.1 setScratchpad(PolicyElement, "baz", "43") A ifIndex.1 getScratchpad(PolicyElement, "baz", val) --> 43 A ifIndex.2 getScratchpad(PolicyElement, "baz", val) not found B ifIndex.1 getScratchpad(PolicyElement, "baz", val) not found A ifIndex.2 setScratchpad(PolicyElement, "baz", "54") Waldbusser, et al. Standards Track [Page 54]
RFC 4011 Policy Based Management MIB March 2005 B ifIndex.1 setScratchpad(PolicyElement, "baz", "65") A ifIndex.1 getScratchpad(PolicyElement, "baz", val) --> 43 A ifIndex.2 getScratchpad(PolicyElement, "baz", val) --> 54 B ifIndex.1 getScratchpad(PolicyElement, "baz", val) --> 65 Policy Element Action A ifIndex.1 setScratchpad(PolicyElement, "foo", "11") A ifIndex.1 setScratchpad(Global, "foo", "22") A ifIndex.1 getScratchpad(PolicyElement, "foo", val) --> 11 A ifIndex.1 getScratchpad(Global, "foo", val) --> 22 Constants The following constants are defined for use with the scratchpad functions. Policy code will be executed in an environment where the following constants are declared. (Note that these constant declarations will not be visible in the policyCondition or policyAction MIB objects.) Although these declarations are expressed here as C 'const's, the 'const' construct itself is not available to be used inside of policy code. // Scratchpad Constants // Values of scope const integer Global = 0; const integer Policy = 1; const integer PolicyElement = 2; // Values of storageType const integer Volatile = 0; const integer NonVolatile = 1; 8.2.8. setScratchpad() setScratchpad(integer scope, string varName [, string value, integer storageType, integer freeOnException ]) The setScratchpad function stores a value that can be retrieved even after this policy execution code exits. The value of 'scope' controls which policy/element combinations can retrieve this 'varName'/'value' pair. The options for 'scope' are Global, Policy, and PolicyElement. Waldbusser, et al. Standards Track [Page 55]
RFC 4011 Policy Based Management MIB March 2005 'varName' is a string used to identify the value. Subsequent retrievals of the same 'varName' in the proper scope will return the value stored. Note that the namespace for 'varName' is distinct for each scope. 'varName' is case sensitive. 'value' is a string containing the value to be stored. ToString(value) is called on 'value' to convert it to a string before storage. If the 'value' argument is missing, the 'varName' in scope 'scope' will be deleted if it exists. If the optional 'storageType' argument is present and is equal to the constant 'Volatile', then this variable must be deleted on a reboot. If it is equal to 'NonVolatile', then this variable should be stored in non-volatile storage, where it will be available after a reboot. If the 'storageType' argument is not present, the variable will be volatile and will be erased on reboot. 'storageType' may not be present if the 'value' argument is not present. If the variable already existed, its previous storageType is updated according to the current 'storageType' argument. If the optional 'freeOnException' argument is present and equal to 1, the agent will free this variable if, later in the same script invocation, this script dies with a run-time exception or by a call to fail(). (Note that this does not apply to exceptions experienced in subsequent invocations of the script.) 8.2.9. getScratchpad() integer getScratchpad(integer scope, string varName, string &value) The getScratchpad function allows the retrieval of values that were stored previously in this execution context or in other execution contexts. The value of 'scope' controls which execution contexts can pass a value to this execution context. The options for 'scope' are Global, Policy, and PolicyElement. 'varName' is a string used to identify the value. Subsequent retrievals of the same 'varName' in the proper scope will return the value stored. Note that the namespace for varName is distinct for each scope. As a result, getScratchpad cannot force access to a variable in an inaccessible scope; it can only retrieve variables by referencing the proper scope in which they were set. 'varName' is case sensitive. Waldbusser, et al. Standards Track [Page 56]
RFC 4011 Policy Based Management MIB March 2005 On successful return, 'value' will be set to the value that was previously stored; otherwise, 'value' will not be modified. This function returns 1 if a value was previously stored and 0 otherwise. 8.2.10. signalError() The signalError() function is used by the script to indicate to a management station that it is experiencing abnormal behavior. signalError() turns on the conditionUserSignal(3) or actionUserSignal(5) bit in the associated pmTrackingPEInfo object (subsequent calls to signalError() have no additional effect). This bit is initially cleared at the beginning of each execution. If, upon a subsequent execution, the script finishes without calling signalError, the bit will be cleared. signalError() The signalException function takes no arguments and returns no value. 8.2.11. defer() Precedence groups enforce the rule that for each element, of the ready policies that match the condition, only the one with the highest precedence value will be active. Unfortunately, once the winning policy has been selected and the action begins running, situations can occur in which the policy script determines that it cannot complete its task. In many such cases, it is desirable that the next runner-up ready policy be executed. In the previous example, it would be desirable that at least bronze behavior be configured if gold is appropriate but gold isn't possible. When a policy defers, it exits, and the ready, condition-matching policy with the next-highest precedence is immediately run. Because this might also defer, the execution environment must remember where it is in the precedence chain so that it can continue going down the chain until an action completes without deferring, or until no policies are left in the precedence group. Once a policy finishes successfully, the next iteration will begin at the top of the precedence chain. There are two ways to defer. A script can exit by calling fail() and specify that it should defer immediately. Alternately, a script can instruct the execution environment to defer automatically in the event of a run-time exception. Waldbusser, et al. Standards Track [Page 57]
RFC 4011 Policy Based Management MIB March 2005 defer(integer deferOnRTE) The defer function changes the run-time exception behavior of a script. By default, a script will not defer when it encounters an RTE. If defer(1) is called, the exit behavior is changed so that the script will defer when it is terminated due to an RTE. If defer(0) is called, the script is reset to its default behavior and will not defer. Note that calling defer doesn't cause the script to exit. Defer only changes the default behavior if an RTE occurs later in this invocation. 8.2.12. fail() fail(integer defer, integer free [, string message] ) The fail function causes the script to optionally perform certain functions and then exit. If 'defer' is 1, this script will defer to the next lower precedence ready policy in the same precedence group whose condition matches. If 'defer' isn't 1, it will not defer. Note that if a condition defers, it is functionally equivalent to the condition returning false. If 'free' is 1, certain registered resources will be freed. If, earlier in this script invocation, any rows were created by createRow with the 'freeOnException' option, the execution environment will set the RowStatus of each row to 'destroy' to delete the row. Further, if earlier in this script invocation any scratchpad variables were created or modified with the 'freeOnException' option, they will be deleted. If the optional 'message' argument is present, it will be logged to the debugging table if pmPolicyDebugging is turned on for this policy. This function does not return. Instead, the script will terminate. 8.2.13. getParameters() From time to time, policy scripts may be parameterized so that they are supplied with one or more parameters (e.g., site-specific constants). These parameters may be installed in the pmPolicyParameters object and are accessible to the script via the getParameters() function. If it is necessary for multiple parameters Waldbusser, et al. Standards Track [Page 58]
RFC 4011 Policy Based Management MIB March 2005 to be passed to the script, the script can choose whatever encoding/delimiting mechanism is most appropriate so that the multiple parameters can be stored in the associated instance of pmPolicyParameters. string getParameters() The getParameters function takes no arguments. It returns a string containing the value of the pmPolicyParameters object for the running policy. For example, if a policy is to apply to "slow speed interfaces" and the cutoff point for slow speed should be parameterized, the policy filter should be: getVar("ifSpeed.$*") == getParameters() In this example, one can store the string "128000" in the policy's pmPolicyParameters object to cause this policy to act on all 128 Kbps interfaces. 8.3. Utility Library Functions Utility Library Functions are provided to enable more efficient policy scripts. 8.3.1. regexp() integer regexp(string pattern, string str, integer case [, string &match]) regexp searches 'str' for matches to the regular expression given in `pattern`. regexp uses the POSIX extended regular expressions defined in POSIX 1003.2. If `case` is 0, the search will be case insensitive; otherwise, it will be case sensitive. If a match is found, 1 is returned, otherwise 0 is returned. If the optional argument 'match' is provided and a match is found, 'match' will be replaced with the text of the first substring of 'str' that matches 'pattern'. If no match is found, it will be unchanged. Waldbusser, et al. Standards Track [Page 59]
RFC 4011 Policy Based Management MIB March 2005 8.3.2. regexpReplace() string regexpReplace(string pattern, string replacement, string str, integer case) regexpReplace searches 'str' for matches to the regular expression given in 'pattern', replacing each occurrence of matched text with 'replacement'. regexpReplace uses the POSIX extended regular expressions defined in POSIX 1003.2. If `case` is 0, the search will be case insensitive; otherwise, it will be case sensitive. The modified string is returned (it would be the same as the original string if no matches were found). 8.3.3. oidlen() integer oidlen(string oid) oidlen returns the number of subidentifiers in 'oid'. 'oid' is a string containing an ASCII dotted-decimal representation of an object identifier (e.g., "1.3.6.1.2.1.1.1.0"). 8.3.4. oidncmp() integer oidncmp(string oid1, string oid2, integer n) Arguments 'oid1' and 'oid2' are strings containing ASCII dotted-decimal representations of object identifiers (e.g., "1.3.6.1.2.1.1.1.0"). oidcmp compares not more than n subidentifiers of 'oid1' and 'oid2' and returns -1 if 'oid1' is less than 'oid2', 0 if they are equal, and 1 if 'oid1' is greater than 'oid2'. 8.3.5. inSubtree() integer inSubtree(string oid, string prefix) Arguments 'oid' and 'prefix' are strings containing ASCII dotted-decimal representations of object identifiers (e.g., "1.3.6.1.2.1.1.1.0"). inSubtree returns 1 if every subidentifier in 'prefix' equals the corresponding subidentifier in 'oid', otherwise it returns 0. The is equivalent to oidncmp(oid1, prefix, oidlen(prefix)) Waldbusser, et al. Standards Track [Page 60]
RFC 4011 Policy Based Management MIB March 2005 is provided because this is an idiom and because it avoids evaluating 'prefix' twice if it is an expression. 8.3.6. subid() integer subid(string oid, integer n) subid returns the value of the nth (starting at zero) subidentifier of 'oid'. 'oid' is a string containing an ASCII dotted-decimal representation of an object identifier (e.g., "1.3.6.1.2.1.1.1.0"). If n specifies a subidentifier beyond the length of 'oid', a value of -1 is returned. 8.3.7. subidWrite() integer subidWrite(string oid, integer n, integer subid) subidWrite sets the value of the nth (starting at zero) subidentifier of 'oid' to 'subid'. 'oid' is a string containing an ASCII dotted-decimal representation of an object identifier (e.g., "1.3.6.1.2.1.1.1.0"). If n specifies a subidentifier beyond the length of 'oid', a value of -1 is returned. Note that appending subidentifiers can be accomplished with the string concatenation '+' operator. If no error occurs, zero is returned. 8.3.8. oidSplice() string oidSplice(string oid1, integer offset, integer len, string oid2) oidSplice returns an OID formed by replacing 'len' subidentifiers in 'oid1' with all of the subidentifiers from 'oid2', starting at 'offset' in 'oid1' (the first subidentifier is at offset 0). The OID length will be extended, if necessary, if 'offset' + 'len' extends beyond the end of 'oid1'. If 'offset' is larger than the length of oid1, then an RTE will occur. The resulting OID is returned. For example: oidSplice("1.3.6.1.2.1", 5, 1, "7") => "1.3.6.1.2.7" oidSplice("1.3.6.1.2.1", 4, 2, "7.7") => "1.3.6.1.7.7" oidSplice("1.3.6.1.2.1", 4, 3, "7.7.7") => "1.3.6.1.7.7.7" Waldbusser, et al. Standards Track [Page 61]
RFC 4011 Policy Based Management MIB March 2005 8.3.9. parseIndex() ParseIndex is provided to make it easy to pull index values from OIDs into variables. var parseIndex(string oid, integer &index, integer type, integer len) parseIndex pulls values from the instance identification portion of 'oid', encoded as per Section 7.7, "Mapping of the INDEX Clause", of the SMIv2 [2]. 'oid' is the OID to be parsed. 'index' describes which subid to begin parsing at. 'index' will be modified to indicate the subid after the last one parsed (even if this points past the last subid). The first subid is index 0. If any error occurs, 'index' will be set to -1 on return. If the input index is less than 0 or refers past the end of the OID, 'index' will be set to -1 on return and the function will return 0. If 'type' is Integer, 'len' will not be consulted. The return value is the integer value of the next subid. If 'type' is String and 'len' is greater than zero, 'len' subids will be parsed. For each subid parsed, the chr() value of the subid will be appended to the returned string. If any subid is greater than 255, 'index' will be set to -1 on return, and an empty string will be returned. If there are fewer than 'len' subids left in 'oid', 'index' will be set to -1 on return, but a string will be returned containing a character for each subid that was left. If 'type' is String and 'len' is zero, the next subid will be parsed to find N, the length of the string. Then, that many subids will be parsed. For each subid parsed, the chr() value of the subid will be appended to the returned string. If any subid is greater than 255, 'index' will be set to -1 on return, and an empty string will be returned. If there are fewer than N subids left in 'oid', 'index' will be set to -1 on return, but a string will be returned containing a character for each subid that was left. If 'type' is String and 'len' is -1, subids will be parsed until the end of 'oid'. For each subid parsed, the chr() value of the subid will be appended to the returned string. If any Waldbusser, et al. Standards Track [Page 62]
RFC 4011 Policy Based Management MIB March 2005 subid is greater than 255, 'index' will be set to -1 on return, and an empty string will be returned. If 'type' is Oid and 'len' is greater than zero, 'len' subids will be parsed. For each subid parsed, the decimal-encoded value of the subid will be appended to the returned string, with a '.' character appended between each output subid, but not after the last subid. If there are fewer than 'len' subids left in 'oid', 'index' will be set to -1 on return, but a string will be returned containing an encoding for each subid that was left. If 'type' is Oid and 'len' is zero, the next subid will be parsed to find N, the number of subids to parse. For each subid parsed, the decimal-encoded value of the subid will be appended to the returned string, with a '.' character appended between each output subid but not after the last subid. If there are fewer than N subids left in 'oid', 'index' will be set to -1 on return, but a string will be returned containing an encoding for each subid that was left. If 'type' is Oid and 'len' is -1, subids will be parsed until the end of 'oid'. For each subid parsed, the decimal-encoded value of the subid will be appended to the returned string, with a '.' character appended between each output subid, but not after the last subid. For example, to decode the index component of an instance of the ipForward table: oid = "ipForwardIfIndex.0.0.0.0.13.0.192.168.1.1"; index = 11; dest = parseIndex(oid, index, String, 4); proto = parseIndex(oid, index, Integer, 0); policy = parseIndex(oid, index, Integer, 0); nextHop = parseIndex(oid, index, String, 4); // proto and policy now contain integer values // dest and nextHop now contain 4 byte IP addresses. Use // stringToDotted to get them to dotted decimal notation: // e.g.: stringToDotted(nextHop) => "192.168.1.1" 8.3.10. stringToDotted() stringToDotted() is provided to encode strings suitable for the index portion of an OID or to convert the binary encoding of an IP address to a dotted-decimal encoding. Waldbusser, et al. Standards Track [Page 63]
RFC 4011 Policy Based Management MIB March 2005 string stringToDotted(string value) If 'value' is the zero-length string, the zero-length string is returned. The decimal encoding of the first byte of 'value' is appended to the output string. Then, for each additional byte in 'value', a '.' is appended to the output string, followed by the decimal encoding of the additional byte. 8.3.11. integer() integer integer(var input) integer converts 'input' into an integer by using the rules specified for ToInteger(), returning the integer-typed results. 8.3.12. string() string string(var input) string converts 'input' into a string by using the rules specified for ToString(), returning the string-typed results. 8.3.13. type() string type(var variable) type returns the type of its argument as either the string 'String' or the string 'Integer'. 8.3.14. chr() string chr(integer char) Returns a one-character string containing the character specified by the ASCII code contained in 'char'. 8.3.15. ord() integer ord(string str) Returns the ASCII value of the first character of 'str'. This function complements chr(). Waldbusser, et al. Standards Track [Page 64]
RFC 4011 Policy Based Management MIB March 2005 8.3.16. substr() string substr(string &str, integer offset [, integer len, string replacement]) Extracts a substring out of 'str' and returns it. The first octet is at offset 0. If the offset is negative, the returned string starts that far from the end of 'str'. If 'len' is positive, the returned string contains up to 'len' octets, up to the end of the string. If 'len' is omitted, the returned string includes everything to the end of 'str'. If 'len' is negative, abs(len) octets are left off the end of the string. If a substring is specified that is partly outside the string, the part within the string is returned. If the substring is totally outside the string, a zero-length string is produced. If the optional 'replacement' argument is included, 'str' is modified. 'offset' and 'len' act as above to select a range of octets in 'str'. These octets are replaced with octets from 'replacement'. If the replacement string is shorter or longer than the number of octets selected, 'str' will shrink or grow, respectively. If 'replacement' is included, the 'len' argument must also be included. Note that to replace everything from offset to the end of the string, substr() should be called as follows: substr(str, offset, strlen(str) - offset, replacement) 8.4. General Functions The following POSIX standard library functions are provided: strncmp() strncasecmp() strlen() random() sprintf() sscanf() 9. International String Library This library is optional for systems that wish to have support for collating (sorting) and verifying equality of international strings in a manner that will be least surprising to humans. International Waldbusser, et al. Standards Track [Page 65]
RFC 4011 Policy Based Management MIB March 2005 strings are encoded in the UTF-8 transformation format described in [14]. This library is registered with the name "pmInternationalStringLibrary". When verifying equality of international strings in the Unicode character set, it is recommended to normalize the strings with the stringprep() function before checking for equality. When attempting to sort international strings in the Unicode character set, normalization should also be performed, but note that the result is highly context dependent and hard to implement correctly. Just ordering by Unicode Codepoint Value is in many cases not what the end user expects. See Unicode technical note 9 for more information about sorting. 9.1. stringprep() integer stringprep(string utf8Input, string &utf8Output) Performs the Stringprep [13] transformation for appropriate comparison of internationalized strings. The transformation is performed on 'utf8Input'; if the transformation finishes without error, the resulting string is written to utf8Output. The stringprep profile used is specified below in Section 9. If it is successful, the function returns 1. If the stringprep transformation encounters an error, 0 is returned, and the utf8Output parameter remains unchanged. For example, to compare UTF8 strings 'one' and 'two': if (stringprep(one, a) && stringprep(two, b)){ if (a == b){ // strings are identical } else { // strings are different } } else { // strings couldn't be transformed for comparison } See Stringprep [13] for more information. 9.1.1. Stringprep Profile The Stringprep specification [13] describes a framework for preparing Unicode text strings in order to increase the likelihood that string input and string comparison work in ways that make sense for typical Waldbusser, et al. Standards Track [Page 66]
RFC 4011 Policy Based Management MIB March 2005 users throughout the world. Specifications that specify stringprep (as this one does) are required to fully specify stringprep's processing options by documenting a stringprep profile. This profile defines the following, as required by Stringprep: - The intended applicability of the profile: internationalized network management information. - The character repertoire that is the input and output to stringprep: Unicode 3.2, as defined in Stringprep [13], Appendix A.1. - The mapping tables used: Table B.1 from Stringprep [13]. - Any additional mapping tables specific to the profile: None. - The Unicode normalization used: Form KC, as described in Stringprep [13]. - The characters that are prohibited as output: As specified in the following tables from Stringprep [13]: Table C.2 Table C.3 Table C.4 Table C.5 Table C.6 Table C.7 Table C.8 Table C.9 - Bidirectional character handling: not performed. - Any additional characters that are prohibited as output: None. 9.2. utf8Strlen() integer utf8Strlen(string str) Returns the number of UTF-8 characters in 'str', which may be less than the number of octets in 'str' if one or more characters are multi-byte characters. Waldbusser, et al. Standards Track [Page 67]
RFC 4011 Policy Based Management MIB March 2005 9.3. utf8Chr() string utf8Chr(integer utf8) Returns a one-character string containing the character specified by the UTF-8 code contained in 'utf8'. Although it contains only 1 UTF-8 character, the resulting string may be more than 1 octet in length. 9.4. utf8Ord() integer utf8Ord(string str) Returns the UTF-8 code-point value of the first character of 'str'. Note that the first UTF-8 character in 'str' may be more than 1 octet in length. This function complements chr(). 9.5. utf8Substr() string utf8Substr(string &str, integer offset [, integer len, string replacement]) Extracts a substring out of 'str' and returns it, keeping track of UTF-8 character boundaries and using them, instead of octets, as the basis for offset and length calculations. The first character is at offset 0. If offset is negative, the returned string starts that far from the end of 'str'. If 'len' is positive, the returned string contains up to 'len' characters, up to the end of the string. If 'len' is omitted, the returned string includes everything to the end of 'str'. If 'len' is negative, abs(len) characters are left off the end of the string. If you specify a substring that is partly outside the string, the part within the string is returned. If the substring is totally outside the string, a zero-length string is produced. If the optional 'replacement' argument is included, 'str' is modified. 'offset' and 'len' act as above to select a range of characters in 'str'. These characters are replaced with characters from 'replacement'. If the replacement string is shorter or longer than the number of characters selected, 'str' will shrink or grow, respectively. If 'replacement' is included, the 'len' argument must also be included. Waldbusser, et al. Standards Track [Page 68]
RFC 4011 Policy Based Management MIB March 2005 Note that to replace everything from offset to the end of the string, substr() should be called as follows: substr(str, offset, strlen(str) - offset, replacement) 10. Schedule Table This table is an adapted form of the policyTimePeriodCondition class defined in the Policy Core Information Model, RFC 3060 [18]. Some of the objects describing a schedule are expressed in formats defined in the iCalendar specification [15]. The policy schedule table allows control over when a valid policy will be ready, based on the date and time. A policy's pmPolicySchedule variable refers to a group of one or more schedules in the schedule table. At any given time, if any of these schedules are active, the policy will be ready (assuming that it is enabled and thus valid), and its conditions and actions will be executed, as appropriate. At times when none of these schedules are active, the policy will not be ready and will have no effect. A policy will always be ready if its pmPolicySchedule variable is 0. If a policy has a non-zero pmPolicySchedule that doesn't refer to a group that includes an active schedule, then the policy will not be ready, even if this is due to a misconfiguration of the pmPolicySchedule object or the pmSchedTable. A policy that is controlled by a schedule group immediately executes its policy condition (and conditionally the policyAction) when the schedule group becomes active, periodically re-executing these scripts as appropriate until the schedule group becomes inactive (i.e., all schedules are inactive). An individual schedule item is active at those times that match all the variables that define the schedule: pmSchedTimePeriod, pmSchedMonth, pmSchedDay, pmSchedWeekDay, and pmSchedTimeOfDay. It is possible to specify multiple values for each schedule item. This provides a mechanism for defining complex schedules. For example, a schedule that is active the entire workday each weekday could be defined. Months, days, and weekdays are specified by using the objects pmSchedMonth, pmSchedDay, and pmSchedWeekDay of type BITS. Setting multiple bits in these objects causes an OR operation. For example, setting the bits monday(1) and friday(5) in pmSchedWeekDay restricts the schedule to Mondays and Fridays. Waldbusser, et al. Standards Track [Page 69]
RFC 4011 Policy Based Management MIB March 2005 The matched times for pmSchedTimePeriod, pmSchedMonth, pmSchedDay pmSchedWeekDay, and pmSchedTimeOfDay are ANDed together to determine the time periods when the schedule will be active; in other words, the schedule is only active for those times when ALL of these schedule attributes match. For example, a schedule with an overall validity range of January 1, 2000, through December 31, 2000; a month mask that selects March and April; a day-of-the-week mask that selects Fridays; and a time-of-day range of 0800 through 1600 would represent the following time periods: Friday, March 5, 2000, from 0800 through 1600 Friday, March 12, 2000, from 0800 through 1600 Friday, March 19, 2000, from 0800 through 1600 Friday, March 26, 2000, from 0800 through 1600 Friday, April 2, 2000, from 0800 through 1600 Friday, April 9, 2000, from 0800 through 1600 Friday, April 16, 2000, from 0800 through 1600 Friday, April 23, 2000, from 0800 through 1600 Friday, April 30, 2000, from 0800 through 1600 Wildcarding of schedule attributes of type BITS is achieved by setting all bits to one. It is possible to define schedules that will never cause a policy to be activated. For example, one can define a schedule that should be active on February 31st. 11. Definitions POLICY-BASED-MANAGEMENT-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter32, Gauge32, Unsigned32, mib-2 FROM SNMPv2-SMI RowStatus, RowPointer, TEXTUAL-CONVENTION, DateAndTime, StorageType FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB; -- Policy-Based Management MIB pmMib MODULE-IDENTITY LAST-UPDATED "200502070000Z" -- February 7, 2005 ORGANIZATION "IETF SNMP Configuration Working Group" CONTACT-INFO " Waldbusser, et al. Standards Track [Page 70]
RFC 4011 Policy Based Management MIB March 2005 Steve Waldbusser Phone: +1-650-948-6500 Fax: +1-650-745-0671 Email: waldbusser@nextbeacon.com Jon Saperia (WG Co-chair) JDS Consulting, Inc. 84 Kettell Plain Road. Stow MA 01775 USA Phone: +1-978-461-0249 Fax: +1-617-249-0874 Email: saperia@jdscons.com Thippanna Hongal Riverstone Networks, Inc. 5200 Great America Parkway Santa Clara, CA, 95054 USA Phone: +1-408-878-6562 Fax: +1-408-878-6501 Email: hongal@riverstonenet.com David Partain (WG Co-chair) Postal: Ericsson AB P.O. Box 1248 SE-581 12 Linkoping Sweden Tel: +46 13 28 41 44 E-mail: David.Partain@ericsson.com Any questions or comments about this document can also be directed to the working group at snmpconf@snmp.com." DESCRIPTION "The MIB module for policy-based configuration of SNMP infrastructures. Copyright (C) The Internet Society (2005). This version of this MIB module is part of RFC 4011; see the RFC itself for full legal notices." REVISION "200502070000Z" -- February 7, 2005 DESCRIPTION "The original version of this MIB, published as RFC4011." ::= { mib-2 124 } Waldbusser, et al. Standards Track [Page 71]
RFC 4011 Policy Based Management MIB March 2005 PmUTF8String ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An octet string containing information typically in human-readable form. To facilitate internationalization, this information is represented by using the ISO/IEC IS 10646-1 character set, encoded as an octet string using the UTF-8 transformation format described in RFC 3629. As additional code points are added by amendments to the 10646 standard from time to time, implementations must be prepared to encounter any code point from 0x00000000 to 0x10FFFF. Byte sequences that do not correspond to the valid UTF-8 encoding of a code point or that are outside this range are prohibited. The use of control codes should be avoided. When it is necessary to represent a newline, the control code sequence CR LF should be used. For code points not directly supported by user interface hardware or software, an alternative means of entry and display, such as hexadecimal, may be provided. For information encoded in 7-bit US-ASCII, the UTF-8 encoding is identical to the US-ASCII encoding. UTF-8 may require multiple bytes to represent a single character/code point; thus, the length of this object in octets may be different from the number of characters encoded. Similarly, size constraints refer to the number of encoded octets, not the number of characters represented by an encoding. Note that when this TC is used for an object used or envisioned to be used as an index, then a SIZE restriction MUST be specified so that the number of sub-identifiers for any object instance does not exceed the limit of 128, as defined by Waldbusser, et al. Standards Track [Page 72]
RFC 4011 Policy Based Management MIB March 2005 RFC 3416. Note that the size of PmUTF8String object is measured in octets, not characters." SYNTAX OCTET STRING (SIZE (0..65535)) -- The policy table pmPolicyTable OBJECT-TYPE SYNTAX SEQUENCE OF PmPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The policy table. A policy is a pairing of a policyCondition and a policyAction that is used to apply the action to a selected set of elements." ::= { pmMib 1 } pmPolicyEntry OBJECT-TYPE SYNTAX PmPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the policy table representing one policy." INDEX { pmPolicyAdminGroup, pmPolicyIndex } ::= { pmPolicyTable 1 } PmPolicyEntry ::= SEQUENCE { pmPolicyAdminGroup PmUTF8String, pmPolicyIndex Unsigned32, pmPolicyPrecedenceGroup PmUTF8String, pmPolicyPrecedence Unsigned32, pmPolicySchedule Unsigned32, pmPolicyElementTypeFilter PmUTF8String, pmPolicyConditionScriptIndex Unsigned32, pmPolicyActionScriptIndex Unsigned32, pmPolicyParameters OCTET STRING, pmPolicyConditionMaxLatency Unsigned32, pmPolicyActionMaxLatency Unsigned32, pmPolicyMaxIterations Unsigned32, pmPolicyDescription PmUTF8String, pmPolicyMatches Gauge32, pmPolicyAbnormalTerminations Gauge32, pmPolicyExecutionErrors Counter32, pmPolicyDebugging INTEGER, pmPolicyAdminStatus INTEGER, pmPolicyStorageType StorageType, pmPolicyRowStatus RowStatus Waldbusser, et al. Standards Track [Page 73]
RFC 4011 Policy Based Management MIB March 2005 } pmPolicyAdminGroup OBJECT-TYPE SYNTAX PmUTF8String (SIZE(0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An administratively assigned string that can be used to group policies for convenience, for readability, or to simplify configuration of access control. The value of this string does not affect policy processing in any way. If grouping is not desired or necessary, this object may be set to a zero-length string." ::= { pmPolicyEntry 1 } pmPolicyIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique index for this policy entry, unique among all policies regardless of administrative group." ::= { pmPolicyEntry 2 } pmPolicyPrecedenceGroup OBJECT-TYPE SYNTAX PmUTF8String (SIZE (0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "An administratively assigned string that is used to group policies. For each element, only one policy in the same precedence group may be active on that element. If multiple policies would be active on an element (because their conditions return non-zero), the execution environment will only allow the policy with the highest value of pmPolicyPrecedence to be active. All values of this object must have been successfully transformed by Stringprep RFC 3454. Management stations must perform this translation and must only set this object to string values that have been transformed." ::= { pmPolicyEntry 3 } pmPolicyPrecedence OBJECT-TYPE SYNTAX Unsigned32 (0..65535) MAX-ACCESS read-create STATUS current Waldbusser, et al. Standards Track [Page 74]
RFC 4011 Policy Based Management MIB March 2005 DESCRIPTION "If, while checking to see which policy conditions match an element, 2 or more ready policies in the same precedence group match the same element, the pmPolicyPrecedence object provides the rule to arbitrate which single policy will be active on 'this element'. Of policies in the same precedence group, only the ready and matching policy with the highest precedence value (e.g., 2 is higher than 1) will have its policy action periodically executed on 'this element'. When a policy is active on an element but the condition ceases to match the element, its action (if currently running) will be allowed to finish and then the condition-matching ready policy with the next-highest precedence will immediately become active (and have its action run immediately). If the condition of a higher-precedence ready policy suddenly begins matching an element, the previously-active policy's action (if currently running) will be allowed to finish and then the higher precedence policy will immediately become active. Its action will run immediately, and any lower-precedence matching policy will not be active anymore. In the case where multiple ready policies share the highest value, it is an implementation-dependent matter as to which single policy action will be chosen. Note that if it is necessary to take certain actions after a policy is no longer active on an element, these actions should be included in a lower-precedence policy that is in the same precedence group." ::= { pmPolicyEntry 4 } pmPolicySchedule OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS read-create STATUS current DESCRIPTION "This policy will be ready if any of the associated schedule entries are active. If the value of this object is 0, this policy is always ready. If the value of this object is non-zero but doesn't refer to a schedule group that includes an active schedule, then the policy will not be ready, even if this is due to a misconfiguration of this object or the pmSchedTable." ::= { pmPolicyEntry 5 } Waldbusser, et al. Standards Track [Page 75]
RFC 4011 Policy Based Management MIB March 2005 pmPolicyElementTypeFilter OBJECT-TYPE SYNTAX PmUTF8String (SIZE (0..128)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the element types for which this policy can be executed. The format of this object will be a sequence of pmElementTypeRegOIDPrefix values, encoded in the following BNF form: elementTypeFilter: oid [ ';' oid ]* oid: subid [ '.' subid ]* subid: '0' | decimal_constant For example, to register for the policy to be run on all interface elements, the 'ifEntry' element type will be registered as '1.3.6.1.2.1.2.2.1'. If a value is included that does not represent a registered pmElementTypeRegOIDPrefix, then that value will be ignored." ::= { pmPolicyEntry 6 } pmPolicyConditionScriptIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "A pointer to the row or rows in the pmPolicyCodeTable that contain the condition code for this policy. When a policy entry is created, a pmPolicyCodeIndex value unused by this policy's adminGroup will be assigned to this object. A policy condition is one or more PolicyScript statements that result(s) in a boolean value that represents whether an element is a member of a set of elements upon which an action is to be performed. If a policy is ready and the condition returns true for an element of a proper element type, and if no higher-precedence policy should be active, then the policy is active on that element. Condition evaluation stops immediately when any run-time exception is detected, and the policyAction is not executed. The policyCondition is evaluated for various elements. Any element for which the policyCondition returns any nonzero value will match the condition and will have the associated Waldbusser, et al. Standards Track [Page 76]
RFC 4011 Policy Based Management MIB March 2005 policyAction executed on that element unless a higher-precedence policy in the same precedence group also matches 'this element'. If the condition object is empty (contains no code) or otherwise does not return a value, the element will not be matched. When this condition is executed, if SNMP requests are made to the local system and secModel/secName/secLevel aren't specified, access to objects is under the security credentials of the requester who most recently modified the associated pmPolicyAdminStatus object. If SNMP requests are made in which secModel/secName/secLevel are specified, then the specified credentials are retrieved from the local configuration datastore only if VACM is configured to allow access to the requester who most recently modified the associated pmPolicyAdminStatus object. See the Security Considerations section for more information." ::= { pmPolicyEntry 7 } pmPolicyActionScriptIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "A pointer to the row or rows in the pmPolicyCodeTable that contain the action code for this policy. When a policy entry is created, a pmPolicyCodeIndex value unused by this policy's adminGroup will be assigned to this object. A PolicyAction is an operation performed on a set of elements for which the policy is active. Action evaluation stops immediately when any run-time exception is detected. When this condition is executed, if SNMP requests are made to the local system and secModel/secName/secLevel aren't specified, access to objects is under the security credentials of the requester who most recently modified the associated pmPolicyAdminStatus object. If SNMP requests are made in which secModel/secName/secLevel are specified, then the specified credentials are retrieved from the local configuration datastore only if VACM is configured to allow access to the requester who most recently modified the associated pmPolicyAdminStatus object. See the Security Considerations section for more information." Waldbusser, et al. Standards Track [Page 77]
RFC 4011 Policy Based Management MIB March 2005 ::= { pmPolicyEntry 8 } pmPolicyParameters OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..65535)) MAX-ACCESS read-create STATUS current DESCRIPTION "From time to time, policy scripts may seek one or more parameters (e.g., site-specific constants). These parameters may be installed with the script in this object and are accessible to the script via the getParameters() function. If it is necessary for multiple parameters to be passed to the script, the script can choose whatever encoding/delimiting mechanism is most appropriate." ::= { pmPolicyEntry 9 } pmPolicyConditionMaxLatency OBJECT-TYPE SYNTAX Unsigned32 (0..2147483647) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "Every element under the control of this agent is re-checked periodically to see whether it is under control of this policy by re-running the condition for this policy. This object lets the manager control the maximum amount of time that may pass before an element is re-checked. In other words, in any given interval of this duration, all elements must be re-checked. Note that how the policy agent schedules the checking of various elements within this interval is an implementation-dependent matter. Implementations may wish to re-run a condition more quickly if they note a change to the role strings for an element." ::= { pmPolicyEntry 10 } pmPolicyActionMaxLatency OBJECT-TYPE SYNTAX Unsigned32 (0..2147483647) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "Every element that matches this policy's condition and is therefore under control of this policy will have this policy's action executed periodically to ensure that the element remains in the state dictated by the policy. This object lets the manager control the maximum amount of Waldbusser, et al. Standards Track [Page 78]
RFC 4011 Policy Based Management MIB March 2005 time that may pass before an element has the action run on it. In other words, in any given interval of this duration, all elements under control of this policy must have the action run on them. Note that how the policy agent schedules the policy action on various elements within this interval is an implementation-dependent matter." ::= { pmPolicyEntry 11 } pmPolicyMaxIterations OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "If a condition or action script iterates in loops too many times in one invocation, the execution environment may consider it in an infinite loop or otherwise not acting as intended and may be terminated by the execution environment. The execution environment will count the cumulative number of times all 'for' or 'while' loops iterated and will apply a threshold to determine when to terminate the script. What threshold the execution environment uses is an implementation-dependent manner, but the value of this object SHOULD be the basis for choosing the threshold for each script. The value of this object represents a policy-specific threshold and can be tuned for policies of varying workloads. If this value is zero, no threshold will be enforced except for any implementation-dependent maximum. Regardless of this value, the agent is allowed to terminate any script invocation that exceeds a local CPU or memory limitation. Note that the condition and action invocations are tracked separately." ::= { pmPolicyEntry 12 } pmPolicyDescription OBJECT-TYPE SYNTAX PmUTF8String MAX-ACCESS read-create STATUS current DESCRIPTION "A description of this rule and its significance, typically provided by a human." ::= { pmPolicyEntry 13 } pmPolicyMatches OBJECT-TYPE SYNTAX Gauge32 Waldbusser, et al. Standards Track [Page 79]
RFC 4011 Policy Based Management MIB March 2005 UNITS "elements" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of elements that, in their most recent execution of the associated condition, were matched by the condition." ::= { pmPolicyEntry 14 } pmPolicyAbnormalTerminations OBJECT-TYPE SYNTAX Gauge32 UNITS "elements" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of elements that, in their most recent execution of the associated condition or action, have experienced a run-time exception and terminated abnormally. Note that if a policy was experiencing a run-time exception while processing a particular element but runs normally on a subsequent invocation, this number can decline." ::= { pmPolicyEntry 15 } pmPolicyExecutionErrors OBJECT-TYPE SYNTAX Counter32 UNITS "errors" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times that execution of this policy's condition or action has been terminated due to run-time exceptions." ::= { pmPolicyEntry 16 } pmPolicyDebugging OBJECT-TYPE SYNTAX INTEGER { off(1), on(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "The status of debugging for this policy. If this is turned on(2), log entries will be created in the pmDebuggingTable for each run-time exception that is experienced by this policy." DEFVAL { off } ::= { pmPolicyEntry 17 } Waldbusser, et al. Standards Track [Page 80]
RFC 4011 Policy Based Management MIB March 2005 pmPolicyAdminStatus OBJECT-TYPE SYNTAX INTEGER { disabled(1), enabled(2), enabledAutoRemove(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "The administrative status of this policy. The policy will be valid only if the associated pmPolicyRowStatus is set to active(1) and this object is set to enabled(2) or enabledAutoRemove(3). If this object is set to enabledAutoRemove(3), the next time the associated schedule moves from the active state to the inactive state, this policy will immediately be deleted, including any associated entries in the pmPolicyCodeTable. The following related objects may not be changed unless this object is set to disabled(1): pmPolicyPrecedenceGroup, pmPolicyPrecedence, pmPolicySchedule, pmPolicyElementTypeFilter, pmPolicyConditionScriptIndex, pmPolicyActionScriptIndex, pmPolicyParameters, and any pmPolicyCodeTable row referenced by this policy. In order to change any of these parameters, the policy must be moved to the disabled(1) state, changed, and then re-enabled. When this policy moves to either enabled state from the disabled state, any cached values of policy condition must be erased, and any Policy or PolicyElement scratchpad values for this policy should be removed. Policy execution will begin by testing the policy condition on all appropriate elements." ::= { pmPolicyEntry 18 } pmPolicyStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines whether this policy and any associated entries in the pmPolicyCodeTable are kept in volatile storage and lost upon reboot or if this row is backed up by non-volatile or permanent storage. Waldbusser, et al. Standards Track [Page 81]
RFC 4011 Policy Based Management MIB March 2005 If the value of this object is 'permanent', the values for the associated pmPolicyAdminStatus object must remain writable." ::= { pmPolicyEntry 19 } pmPolicyRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The row status of this pmPolicyEntry. The status may not be set to active if any of the related entries in the pmPolicyCode table do not have a status of active or if any of the objects in this row are not set to valid values. Only the following objects may be modified while in the active state: pmPolicyParameters pmPolicyConditionMaxLatency pmPolicyActionMaxLatency pmPolicyDebugging pmPolicyAdminStatus If this row is deleted, any associated entries in the pmPolicyCodeTable will be deleted as well." ::= { pmPolicyEntry 20 } -- Policy Code Table pmPolicyCodeTable OBJECT-TYPE SYNTAX SEQUENCE OF PmPolicyCodeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The pmPolicyCodeTable stores the code for policy conditions and actions. An example of the relationships between the code table and the policy table follows: pmPolicyTable AdminGroup Index ConditionScriptIndex ActionScriptIndex A '' 1 1 2 B 'oper' 1 1 2 C 'oper' 2 3 4 pmPolicyCodeTable AdminGroup ScriptIndex Segment Note Waldbusser, et al. Standards Track [Page 82]
RFC 4011 Policy Based Management MIB March 2005 '' 1 1 Filter for policy A '' 2 1 Action for policy A 'oper' 1 1 Filter for policy B 'oper' 2 1 Action 1/2 for policy B 'oper' 2 2 Action 2/2 for policy B 'oper' 3 1 Filter for policy C 'oper' 4 1 Action for policy C In this example, there are 3 policies: 1 in the '' adminGroup, and 2 in the 'oper' adminGroup. Policy A has been assigned script indexes 1 and 2 (these script indexes are assigned out of a separate pool per adminGroup), with 1 code segment each for the filter and the action. Policy B has been assigned script indexes 1 and 2 (out of the pool for the 'oper' adminGroup). While the filter has 1 segment, the action is longer and is loaded into 2 segments. Finally, Policy C has been assigned script indexes 3 and 4, with 1 code segment each for the filter and the action." ::= { pmMib 2 } pmPolicyCodeEntry OBJECT-TYPE SYNTAX PmPolicyCodeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the policy code table representing one code segment. Entries that share a common AdminGroup/ScriptIndex pair make up a single script. Valid values of ScriptIndex are retrieved from pmPolicyConditionScriptIndex and pmPolicyActionScriptIndex after a pmPolicyEntry is created. Segments of code can then be written to this table with the learned ScriptIndex values. The StorageType of this entry is determined by the value of the associated pmPolicyStorageType. The pmPolicyAdminGroup element of the index represents the administrative group of the policy of which this code entry is a part." INDEX { pmPolicyAdminGroup, pmPolicyCodeScriptIndex, pmPolicyCodeSegment } ::= { pmPolicyCodeTable 1 } PmPolicyCodeEntry ::= SEQUENCE { pmPolicyCodeScriptIndex Unsigned32, pmPolicyCodeSegment Unsigned32, pmPolicyCodeText PmUTF8String, pmPolicyCodeStatus RowStatus Waldbusser, et al. Standards Track [Page 83]
RFC 4011 Policy Based Management MIB March 2005 } pmPolicyCodeScriptIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique index for each policy condition or action. The code for each such condition or action may be composed of multiple entries in this table if the code cannot fit in one entry. Values of pmPolicyCodeScriptIndex may not be used unless they have previously been assigned in the pmPolicyConditionScriptIndex or pmPolicyActionScriptIndex objects." ::= { pmPolicyCodeEntry 1 } pmPolicyCodeSegment OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique index for each segment of a policy condition or action. When a policy condition or action spans multiple entries in this table, the code of that policy starts from the lowest-numbered segment and continues with increasing segment values until it ends with the highest-numbered segment." ::= { pmPolicyCodeEntry 2 } pmPolicyCodeText OBJECT-TYPE SYNTAX PmUTF8String (SIZE (1..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "A segment of policy code (condition or action). Lengthy Policy conditions or actions may be stored in multiple segments in this table that share the same value of pmPolicyCodeScriptIndex. When multiple segments are used, it is recommended that each segment be as large as is practical. Entries in this table are associated with policies by values of the pmPolicyConditionScriptIndex and pmPolicyActionScriptIndex objects. If the status of the related policy is active, then this object may not be modified." ::= { pmPolicyCodeEntry 3 } Waldbusser, et al. Standards Track [Page 84]
RFC 4011 Policy Based Management MIB March 2005 pmPolicyCodeStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this code entry. Entries in this table are associated with policies by values of the pmPolicyConditionScriptIndex and pmPolicyActionScriptIndex objects. If the status of the related policy is active, then this object can not be modified (i.e., deleted or set to notInService), nor may new entries be created. If the status of this object is active, no objects in this row may be modified." ::= { pmPolicyCodeEntry 4 } -- Element Type Registration Table pmElementTypeRegTable OBJECT-TYPE SYNTAX SEQUENCE OF PmElementTypeRegEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A registration table for element types managed by this system. The Element Type Registration table allows the manager to learn what element types are being managed by the system and to register new types, if necessary. An element type is registered by providing the OID of an SNMP object (i.e., without the instance). Each SNMP instance that exists under that object is a distinct element. The index of the element is the index part of the discovered OID. This index will be supplied to policy conditions and actions so that this code can inspect and configure the element. For example, this table might contain the following entries. The first three are agent-installed, and the 4th was downloaded by a management station: OIDPrefix MaxLatency Description StorageType ifEntry 100 mS interfaces - builtin readOnly 0.0 100 mS system element - builtin readOnly frCircuitEntry 100 mS FR Circuits - builtin readOnly hrSWRunEntry 60 sec Running Processes volatile Waldbusser, et al. Standards Track [Page 85]
RFC 4011 Policy Based Management MIB March 2005 Note that agents may automatically configure elements in this table for frequently used element types (interfaces, circuits, etc.). In particular, it may configure elements for whom discovery is optimized in one or both of the following ways: 1. The agent may discover elements by scanning internal data structures as opposed to issuing local SNMP requests. It is possible to recreate the exact semantics described in this table even if local SNMP requests are not issued. 2. The agent may receive asynchronous notification of new elements (for example, 'card inserted') and use that information to instantly create elements rather than through polling. A similar feature might be available for the deletion of elements. Note that the disposition of agent-installed entries is described by the pmPolicyStorageType object." ::= { pmMib 3 } pmElementTypeRegEntry OBJECT-TYPE SYNTAX PmElementTypeRegEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A registration of an element type. Note that some values of this table's index may result in an instance name that exceeds a length of 128 sub-identifiers, which exceeds the maximum for the SNMP protocol. Implementations should take care to avoid such values." INDEX { pmElementTypeRegOIDPrefix } ::= { pmElementTypeRegTable 1 } PmElementTypeRegEntry ::= SEQUENCE { pmElementTypeRegOIDPrefix OBJECT IDENTIFIER, pmElementTypeRegMaxLatency Unsigned32, pmElementTypeRegDescription PmUTF8String, pmElementTypeRegStorageType StorageType, pmElementTypeRegRowStatus RowStatus } pmElementTypeRegOIDPrefix OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "This OBJECT IDENTIFIER value identifies a table in which all Waldbusser, et al. Standards Track [Page 86]
RFC 4011 Policy Based Management MIB March 2005 elements of this type will be found. Every row in the referenced table will be treated as an element for the period of time that it remains in the table. The agent will then execute policy conditions and actions as appropriate on each of these elements. This object identifier value is specified down to the 'entry' component (e.g., ifEntry) of the identifier. The index of each discovered row will be passed to each invocation of the policy condition and policy action. The actual mechanism by which instances are discovered is implementation dependent. Periodic walks of the table to discover the rows in the table is one such mechanism. This mechanism has the advantage that it can be performed by an agent with no knowledge of the names, syntax, or semantics of the MIB objects in the table. This mechanism also serves as the reference design. Other implementation-dependent mechanisms may be implemented that are more efficient (perhaps because they are hard coded) or that don't require polling. These mechanisms must discover the same elements as would the table-walking reference design. This object can contain a OBJECT IDENTIFIER, '0.0'. '0.0' represents the single instance of the system itself and provides an execution context for policies to operate on the 'system element' and on MIB objects modeled as scalars. For example, '0.0' gives an execution context for policy-based selection of the operating system code version (likely modeled as a scalar MIB object). The element type '0.0' always exists; as a consequence, no actual discovery will take place, and the pmElementTypeRegMaxLatency object will have no effect for the '0.0' element type. However, if the '0.0' element type is not registered in the table, policies will not be executed on the '0.0' element. When a policy is invoked on behalf of a '0.0' entry in this table, the element name will be '0.0', and there is no index of 'this element' (in other words, it has zero length). As this object is used in the index for the pmElementTypeRegTable, users of this table should be careful not to create entries that would result in instance names with more than 128 sub-identifiers." ::= { pmElementTypeRegEntry 2 } Waldbusser, et al. Standards Track [Page 87]
RFC 4011 Policy Based Management MIB March 2005 pmElementTypeRegMaxLatency OBJECT-TYPE SYNTAX Unsigned32 UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "The PM agent is responsible for discovering new elements of types that are registered. This object lets the manager control the maximum amount of time that may pass between the time an element is created and when it is discovered. In other words, in any given interval of this duration, all new elements must be discovered. Note that how the policy agent schedules the checking of various elements within this interval is an implementation-dependent matter." ::= { pmElementTypeRegEntry 3 } pmElementTypeRegDescription OBJECT-TYPE SYNTAX PmUTF8String (SIZE (0..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "A descriptive label for this registered type." ::= { pmElementTypeRegEntry 4 } pmElementTypeRegStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines whether this row is kept in volatile storage and lost upon reboot or backed up by non-volatile or permanent storage. If the value of this object is 'permanent', no values in the associated row have to be writable." ::= { pmElementTypeRegEntry 5 } pmElementTypeRegRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this registration entry. If the value of this object is active, no objects in this row may be modified." ::= { pmElementTypeRegEntry 6 } Waldbusser, et al. Standards Track [Page 88]
RFC 4011 Policy Based Management MIB March 2005 -- Role Table pmRoleTable OBJECT-TYPE SYNTAX SEQUENCE OF PmRoleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The pmRoleTable is a read-create table that organizes role strings sorted by element. This table is used to create and modify role strings and their associations, as well as to allow a management station to learn about the existence of roles and their associations. It is the responsibility of the agent to keep track of any re-indexing of the underlying SNMP elements and to continue to associate role strings with the element with which they were initially configured. Policy MIB agents that have elements in multiple local SNMP contexts have to allow some roles to be assigned to elements in particular contexts. This is particularly true when some elements have the same names in different contexts and the context is required to disambiguate them. In those situations, a value for the pmRoleContextName may be provided. When a pmRoleContextName value is not provided, the assignment is to the element in the default context. Policy MIB agents that discover elements on other systems and execute policies on their behalf need to have access to role information for these remote elements. In such situations, role assignments for other systems can be stored in this table by providing values for the pmRoleContextEngineID parameters. For example: Example: element role context ctxEngineID #comment ifindex.1 gold local, default context ifindex.2 gold local, default context repeaterid.1 foo rptr1 local, rptr1 context repeaterid.1 bar rptr2 local, rptr2 context ifindex.1 gold '' A different system ifindex.1 gold '' B different system The agent must store role string associations in non-volatile storage." ::= { pmMib 4 } Waldbusser, et al. Standards Track [Page 89]
RFC 4011 Policy Based Management MIB March 2005 pmRoleEntry OBJECT-TYPE SYNTAX PmRoleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A role string entry associates a role string with an individual element. Note that some combinations of index values may result in an instance name that exceeds a length of 128 sub-identifiers, which exceeds the maximum for the SNMP protocol. Implementations should take care to avoid such combinations." INDEX { pmRoleElement, pmRoleContextName, pmRoleContextEngineID, pmRoleString } ::= { pmRoleTable 1 } PmRoleEntry ::= SEQUENCE { pmRoleElement RowPointer, pmRoleContextName SnmpAdminString, pmRoleContextEngineID OCTET STRING, pmRoleString PmUTF8String, pmRoleStatus RowStatus } pmRoleElement OBJECT-TYPE SYNTAX RowPointer MAX-ACCESS not-accessible STATUS current DESCRIPTION "The element with which this role string is associated. For example, if the element is interface 3, then this object will contain the OID for 'ifIndex.3'. If the agent assigns new indexes in the MIB table to represent the same underlying element (re-indexing), the agent will modify this value to contain the new index for the underlying element. As this object is used in the index for the pmRoleTable, users of this table should be careful not to create entries that would result in instance names with more than 128 sub-identifiers." ::= { pmRoleEntry 1 } Waldbusser, et al. Standards Track [Page 90]
RFC 4011 Policy Based Management MIB March 2005 pmRoleContextName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "If the associated element is not in the default SNMP context for the target system, this object is used to identify the context. If the element is in the default context, this object is equal to the empty string." ::= { pmRoleEntry 2 } pmRoleContextEngineID OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0 | 5..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "If the associated element is on a remote system, this object is used to identify the remote system. This object contains the contextEngineID of the system for which this role string assignment is valid. If the element is on the local system this object will be the empty string." ::= { pmRoleEntry 3 } pmRoleString OBJECT-TYPE SYNTAX PmUTF8String (SIZE (0..64)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The role string that is associated with an element through this table. All role strings must have been successfully transformed by Stringprep RFC 3454. Management stations must perform this translation and must only set this object to string values that have been transformed. A role string is an administratively specified characteristic of a managed element (for example, an interface). It is a selector for policy rules, that determines the applicability of the rule to a particular managed element." ::= { pmRoleEntry 4 } pmRoleStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this role string. Waldbusser, et al. Standards Track [Page 91]
RFC 4011 Policy Based Management MIB March 2005 If the value of this object is active, no object in this row may be modified." ::= { pmRoleEntry 5 } -- Capabilities table pmCapabilitiesTable OBJECT-TYPE SYNTAX SEQUENCE OF PmCapabilitiesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The pmCapabilitiesTable contains a description of the inherent capabilities of the system so that management stations can learn of an agent's capabilities and differentially install policies based on the capabilities. Capabilities are expressed at the system level. There can be variation in how capabilities are realized from one vendor or model to the next. Management systems should consider these differences before selecting which policy to install in a system." ::= { pmMib 5 } pmCapabilitiesEntry OBJECT-TYPE SYNTAX PmCapabilitiesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A capabilities entry holds an OID indicating support for a particular capability. Capabilities may include hardware and software functions and the implementation of MIB Modules. The semantics of the OID are defined in the description of pmCapabilitiesType. Entries appear in this table if any element in the system has a specific capability. A capability should appear in this table only once, regardless of the number of elements in the system with that capability. An entry is removed from this table when the last element in the system that has the capability is removed. In some cases, capabilities are dynamic and exist only in software. This table should have an entry for the capability even if there are no current instances. Examples include systems with database or WEB services. While the system has the ability to create new databases or WEB services, the entry should exist. In these cases, the ability to create these services could come from other processes that are running in the system, even though there are no currently open databases or WEB servers running. Waldbusser, et al. Standards Track [Page 92]
RFC 4011 Policy Based Management MIB March 2005 Capabilities may include the implementation of MIB Modules but need not be limited to those that represent MIB Modules with one or more configurable objects. It may also be valuable to include entries for capabilities that do not include configuration objects, as that information, in combination with other entries in this table, might be used by the management software to determine whether to install a policy. Vendor software may also add entries in this table to express capabilities from their private branch. Note that some values of this table's index may result in an instance name that exceeds a length of 128 sub-identifiers, which exceeds the maximum for the SNMP protocol. Implementations should take care to avoid such values." INDEX { pmCapabilitiesType } ::= { pmCapabilitiesTable 1 } PmCapabilitiesEntry ::= SEQUENCE { pmCapabilitiesType OBJECT IDENTIFIER } pmCapabilitiesType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "There are three types of OIDs that may be present in the pmCapabilitiesType object: 1) The OID of a MODULE-COMPLIANCE macro that represents the highest level of compliance realized by the agent for that MIB Module. For example, an agent that implements the OSPF MIB Module at the highest level of compliance would have the value of '1.3.6.1.2.1.14.15.2' in the pmCapabilitiesType object. For software that realizes standard MIB Modules that do not have compliance statements, the base OID of the MIB Module should be used instead. If the OSPF MIB Module had not been created with a compliance statement, then the correct value of the pmCapabilitiesType would be '1.3.6.1.2.1.14'. In the cases where multiple compliance statements in a MIB Module are supported by the agent, and where one compliance statement does not by definition include the other, each of the compliance OIDs would have entries in this table. Waldbusser, et al. Standards Track [Page 93]
RFC 4011 Policy Based Management MIB March 2005 MIB Documents can contain more than one MIB Module. In the case of OSPF, there is a second MIB Module that describes notifications for the OSPF Version 2 Protocol. If the agent also realizes these functions, an entry will also exist for those capabilities in this table. 2) Vendors should install OIDs in this table that represent vendor-specific capabilities. These capabilities can be expressed just as those described above for MIB Modules on the standards track. In addition, vendors may install any OID they desire from their registered branch. The OIDs may be at any level of granularity, from the root of their entire branch to an instance of a single OID. There is no restriction on the number of registrations they may make, though care should be taken to avoid unnecessary entries. 3) OIDs that represent one capability or a collection of capabilities that could be any collection of MIB Objects or hardware or software functions may be created in working groups and registered in a MIB Module. Other entities (e.g., vendors) may also make registrations. Software will register these standard capability OIDs, as well as vendor specific OIDs. If the OID for a known capability is not present in the table, then it should be assumed that the capability is not implemented. As this object is used in the index for the pmCapabilitiesTable, users of this table should be careful not to create entries that would result in instance names with more than 128 sub-identifiers." ::= { pmCapabilitiesEntry 1 } -- Capabilities override table pmCapabilitiesOverrideTable OBJECT-TYPE SYNTAX SEQUENCE OF PmCapabilitiesOverrideEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The pmCapabilitiesOverrideTable allows management stations to override pmCapabilitiesTable entries that have been registered by the agent. This facility can be used to avoid situations in which managers in the network send policies to a system that has advertised a capability in the pmCapabilitiesTable but that should not be installed on this particular system. One example could be newly deployed Waldbusser, et al. Standards Track [Page 94]
RFC 4011 Policy Based Management MIB March 2005 equipment that is still in a trial state in a trial state or resources reserved for some other administrative reason. This table can also be used to override entries in the pmCapabilitiesTable through the use of the pmCapabilitiesOverrideState object. Capabilities can also be declared available in this table that were not registered in the pmCapabilitiesTable. A management application can make an entry in this table for any valid OID and declare the capability available by setting the pmCapabilitiesOverrideState for that row to valid(1)." ::= { pmMib 6 } pmCapabilitiesOverrideEntry OBJECT-TYPE SYNTAX PmCapabilitiesOverrideEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in this table indicates whether a particular capability is valid or invalid. Note that some values of this table's index may result in an instance name that exceeds a length of 128 sub-identifiers, which exceeds the maximum for the SNMP protocol. Implementations should take care to avoid such values." INDEX { pmCapabilitiesOverrideType } ::= { pmCapabilitiesOverrideTable 1 } PmCapabilitiesOverrideEntry ::= SEQUENCE { pmCapabilitiesOverrideType OBJECT IDENTIFIER, pmCapabilitiesOverrideState INTEGER, pmCapabilitiesOverrideRowStatus RowStatus } pmCapabilitiesOverrideType OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is the OID of the capability that is declared valid or invalid by the pmCapabilitiesOverrideState value for this row. Any valid OID, as described in the pmCapabilitiesTable, is permitted in the pmCapabilitiesOverrideType object. This means that capabilities can be expressed at any level, from a specific instance of an object to a table or entire module. There are no restrictions on whether these objects are from standards track MIB documents or in the private branch of the MIB. Waldbusser, et al. Standards Track [Page 95]
RFC 4011 Policy Based Management MIB March 2005 If an entry exists in this table for which there is a corresponding entry in the pmCapabilitiesTable, then this entry shall have precedence over the entry in the pmCapabilitiesTable. All entries in this table must be preserved across reboots. As this object is used in the index for the pmCapabilitiesOverrideTable, users of this table should be careful not to create entries that would result in instance names with more than 128 sub-identifiers." ::= { pmCapabilitiesOverrideEntry 1 } pmCapabilitiesOverrideState OBJECT-TYPE SYNTAX INTEGER { invalid(1), valid(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "A pmCapabilitiesOverrideState of invalid indicates that management software should not send policies to this system for the capability identified in the pmCapabilitiesOverrideType for this row of the table. This behavior is the same whether the capability represented by the pmCapabilitiesOverrideType exists only in this table (that is, it was installed by an external management application) or exists in this table as well as the pmCapabilitiesTable. This would be the case when a manager wanted to disable a capability that the native management system found and registered in the pmCapabilitiesTable. An entry in this table that has a pmCapabilitiesOverrideState of valid should be treated as though it appeared in the pmCapabilitiesTable. If the entry also exists in the pmCapabilitiesTable in the pmCapabilitiesType object, and if the value of this object is valid, then the system shall operate as though this entry did not exist and policy installations and executions will continue in a normal fashion." ::= { pmCapabilitiesOverrideEntry 2 } pmCapabilitiesOverrideRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The row status of this pmCapabilitiesOverrideEntry. Waldbusser, et al. Standards Track [Page 96]
RFC 4011 Policy Based Management MIB March 2005 If the value of this object is active, no object in this row may be modified." ::= { pmCapabilitiesOverrideEntry 3 } -- The Schedule Group pmSchedLocalTime OBJECT-TYPE SYNTAX DateAndTime (SIZE (11)) MAX-ACCESS read-only STATUS current DESCRIPTION "The local time used by the scheduler. Schedules that refer to calendar time will use the local time indicated by this object. An implementation MUST return all 11 bytes of the DateAndTime textual-convention so that a manager may retrieve the offset from GMT time." ::= { pmMib 7 } -- -- The schedule table that controls the scheduler. -- pmSchedTable OBJECT-TYPE SYNTAX SEQUENCE OF PmSchedEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines schedules for policies." ::= { pmMib 8 } pmSchedEntry OBJECT-TYPE SYNTAX PmSchedEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing a particular schedule. Unless noted otherwise, writable objects of this row can be modified independently of the current value of pmSchedRowStatus, pmSchedAdminStatus and pmSchedOperStatus. In particular, it is legal to modify pmSchedWeekDay, pmSchedMonth, and pmSchedDay when pmSchedRowStatus is active." INDEX { pmSchedIndex } ::= { pmSchedTable 1 } Waldbusser, et al. Standards Track [Page 97]
RFC 4011 Policy Based Management MIB March 2005 PmSchedEntry ::= SEQUENCE { pmSchedIndex Unsigned32, pmSchedGroupIndex Unsigned32, pmSchedDescr PmUTF8String, pmSchedTimePeriod PmUTF8String, pmSchedMonth BITS, pmSchedDay BITS, pmSchedWeekDay BITS, pmSchedTimeOfDay PmUTF8String, pmSchedLocalOrUtc INTEGER, pmSchedStorageType StorageType, pmSchedRowStatus RowStatus } pmSchedIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The locally unique, administratively assigned index for this scheduling entry." ::= { pmSchedEntry 1 } pmSchedGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS read-create STATUS current DESCRIPTION "The locally unique, administratively assigned index for the schedule group this scheduling entry belongs to. To assign multiple schedule entries to the same group, the pmSchedGroupIndex of each entry in the group will be set to the same value. This pmSchedGroupIndex value must be equal to the pmSchedIndex of one of the entries in the group. If the entry whose pmSchedIndex equals the pmSchedGroupIndex for the group is deleted, the agent will assign a new pmSchedGroupIndex to all remaining members of the group. If an entry is not a member of a group, its pmSchedGroupIndex must be assigned to the value of its pmSchedIndex. Policies that are controlled by a group of schedule entries are active when any schedule in the group is active." ::= { pmSchedEntry 2 } Waldbusser, et al. Standards Track [Page 98]
RFC 4011 Policy Based Management MIB March 2005 pmSchedDescr OBJECT-TYPE SYNTAX PmUTF8String MAX-ACCESS read-create STATUS current DESCRIPTION "The human-readable description of the purpose of this scheduling entry." DEFVAL { ''H } ::= { pmSchedEntry 3 } pmSchedTimePeriod OBJECT-TYPE SYNTAX PmUTF8String (SIZE (0..31)) MAX-ACCESS read-create STATUS current DESCRIPTION "The overall range of calendar dates and times over which this schedule is active. It is stored in a slightly extended version of the format for a 'period-explicit' defined in RFC 2445. This format is expressed as a string representing the starting date and time, in which the character 'T' indicates the beginning of the time portion, followed by the solidus character, '/', followed by a similar string representing an end date and time. The start of the period MUST be before the end of the period. Date-Time values are expressed as substrings of the form 'yyyymmddThhmmss'. For example: 20000101T080000/20000131T130000 January 1, 2000, 0800 through January 31, 2000, 1PM The 'Date with UTC time' format defined in RFC 2445 in which the Date-Time string ends with the character 'Z' is not allowed. This 'period-explicit' format is also extended to allow two special cases in which one of the Date-Time strings is replaced with a special string defined in RFC 2445: 1. If the first Date-Time value is replaced with the string 'THISANDPRIOR', then the value indicates that the schedule is active at any time prior to the Date-Time that appears after the '/'. 2. If the second Date-Time is replaced with the string 'THISANDFUTURE', then the value indicates that the schedule is active at any time after the Date-Time that appears before the '/'. Waldbusser, et al. Standards Track [Page 99]
RFC 4011 Policy Based Management MIB March 2005 Note that although RFC 2445 defines these two strings, they are not specified for use in the 'period-explicit' format. The use of these strings represents an extension to the 'period-explicit' format." ::= { pmSchedEntry 4 } pmSchedMonth OBJECT-TYPE SYNTAX BITS { january(0), february(1), march(2), april(3), may(4), june(5), july(6), august(7), september(8), october(9), november(10), december(11) } MAX-ACCESS read-create STATUS current DESCRIPTION "Within the overall time period specified in the pmSchedTimePeriod object, the value of this object specifies the specific months within that time period when the schedule is active. Setting all bits will cause the schedule to act independently of the month." DEFVAL { { january, february, march, april, may, june, july, august, september, october, november, december } } ::= { pmSchedEntry 5 } pmSchedDay OBJECT-TYPE SYNTAX BITS { d1(0), d2(1), d3(2), d4(3), d5(4), d6(5), d7(6), d8(7), d9(8), d10(9), d11(10), d12(11), d13(12), d14(13), d15(14), d16(15), d17(16), d18(17), d19(18), d20(19), d21(20), d22(21), d23(22), d24(23), d25(24), d26(25), d27(26), d28(27), d29(28), d30(29), d31(30), r1(31), r2(32), r3(33), r4(34), r5(35), r6(36), r7(37), r8(38), r9(39), r10(40), r11(41), r12(42), r13(43), r14(44), r15(45), r16(46), r17(47), r18(48), r19(49), r20(50), r21(51), r22(52), r23(53), r24(54), r25(55), Waldbusser, et al. Standards Track [Page 100]
RFC 4011 Policy Based Management MIB March 2005 r26(56), r27(57), r28(58), r29(59), r30(60), r31(61) } MAX-ACCESS read-create STATUS current DESCRIPTION "Within the overall time period specified in the pmSchedTimePeriod object, the value of this object specifies the specific days of the month within that time period when the schedule is active. There are two sets of bits one can use to define the day within a month: Enumerations starting with the letter 'd' indicate a day in a month relative to the first day of a month. The first day of the month can therefore be specified by setting the bit d1(0), and d31(30) means the last day of a month with 31 days. Enumerations starting with the letter 'r' indicate a day in a month in reverse order, relative to the last day of a month. The last day in the month can therefore be specified by setting the bit r1(31), and r31(61) means the first day of a month with 31 days. Setting multiple bits will include several days in the set of possible days for this schedule. Setting all bits starting with the letter 'd' or all bits starting with the letter 'r' will cause the schedule to act independently of the day of the month." DEFVAL { { d1, d2, d3, d4, d5, d6, d7, d8, d9, d10, d11, d12, d13, d14, d15, d16, d17, d18, d19, d20, d21, d22, d23, d24, d25, d26, d27, d28, d29, d30, d31, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13, r14, r15, r16, r17, r18, r19, r20, r21, r22, r23, r24, r25, r26, r27, r28, r29, r30, r31 } } ::= { pmSchedEntry 6 } pmSchedWeekDay OBJECT-TYPE SYNTAX BITS { sunday(0), monday(1), tuesday(2), wednesday(3), thursday(4), friday(5), Waldbusser, et al. Standards Track [Page 101]
RFC 4011 Policy Based Management MIB March 2005 saturday(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "Within the overall time period specified in the pmSchedTimePeriod object, the value of this object specifies the specific days of the week within that time period when the schedule is active. Setting all bits will cause the schedule to act independently of the day of the week." DEFVAL { { sunday, monday, tuesday, wednesday, thursday, friday, saturday } } ::= { pmSchedEntry 7 } pmSchedTimeOfDay OBJECT-TYPE SYNTAX PmUTF8String (SIZE (0..15)) MAX-ACCESS read-create STATUS current DESCRIPTION "Within the overall time period specified in the pmSchedTimePeriod object, the value of this object specifies the range of times in a day when the schedule is active. This value is stored in a format based on the RFC 2445 format for 'time': The character 'T' followed by a 'time' string, followed by the solidus character, '/', followed by the character 'T', followed by a second time string. The first time indicates the beginning of the range, and the second time indicates the end. Thus, this value takes the following form: 'Thhmmss/Thhmmss'. The second substring always identifies a later time than the first substring. To allow for ranges that span midnight, however, the value of the second string may be smaller than the value of the first substring. Thus, 'T080000/T210000' identifies the range from 0800 until 2100, whereas 'T210000/T080000' identifies the range from 2100 until 0800 of the following day. When a range spans midnight, by definition it includes parts of two successive days. When one of these days is also selected by either the MonthOfYearMask, DayOfMonthMask, and/or DayOfWeekMask, but the other day is not, then the policy is active only during the portion of the range that falls on the selected day. For example, if the range extends from 2100 Waldbusser, et al. Standards Track [Page 102]
RFC 4011 Policy Based Management MIB March 2005 until 0800, and the day of week mask selects Monday and Tuesday, then the policy is active during the following three intervals: From midnight Sunday until 0800 Monday From 2100 Monday until 0800 Tuesday From 2100 Tuesday until 23:59:59 Tuesday Setting this value to 'T000000/T235959' will cause the schedule to act independently of the time of day." DEFVAL { '543030303030302F54323335393539'H } -- T000000/T235959 ::= { pmSchedEntry 8 } pmSchedLocalOrUtc OBJECT-TYPE SYNTAX INTEGER { localTime(1), utcTime(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates whether the times represented in the TimePeriod object and in the various Mask objects represent local times or UTC times." DEFVAL { utcTime } ::= { pmSchedEntry 9 } pmSchedStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines whether this schedule entry is kept in volatile storage and lost upon reboot or backed up by non-volatile or permanent storage. Conceptual rows having the value 'permanent' must allow write access to the columnar objects pmSchedDescr, pmSchedWeekDay, pmSchedMonth, and pmSchedDay. If the value of this object is 'permanent', no values in the associated row have to be writable." DEFVAL { volatile } ::= { pmSchedEntry 10 } Waldbusser, et al. Standards Track [Page 103]
RFC 4011 Policy Based Management MIB March 2005 pmSchedRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this schedule entry. If the value of this object is active, no object in this row may be modified." ::= { pmSchedEntry 11 } -- Policy Tracking -- The "policy to element" (PE) table and the "element to policy" (EP) -- table track the status of execution contexts grouped by policy and -- element respectively. pmTrackingPETable OBJECT-TYPE SYNTAX SEQUENCE OF PmTrackingPEEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The pmTrackingPETable describes what elements are active (under control of) a policy. This table is indexed in order to optimize retrieval of the entire status for a given policy." ::= { pmMib 9 } pmTrackingPEEntry OBJECT-TYPE SYNTAX PmTrackingPEEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the pmTrackingPETable. The pmPolicyIndex in the index specifies the policy tracked by this entry. Note that some combinations of index values may result in an instance name that exceeds a length of 128 sub-identifiers, which exceeds the maximum for the SNMP protocol. Implementations should take care to avoid such combinations." INDEX { pmPolicyIndex, pmTrackingPEElement, pmTrackingPEContextName, pmTrackingPEContextEngineID } ::= { pmTrackingPETable 1 } Waldbusser, et al. Standards Track [Page 104]
RFC 4011 Policy Based Management MIB March 2005 PmTrackingPEEntry ::= SEQUENCE { pmTrackingPEElement RowPointer, pmTrackingPEContextName SnmpAdminString, pmTrackingPEContextEngineID OCTET STRING, pmTrackingPEInfo BITS } pmTrackingPEElement OBJECT-TYPE SYNTAX RowPointer MAX-ACCESS not-accessible STATUS current DESCRIPTION "The element that is acted upon by the associated policy. As this object is used in the index for the pmTrackingPETable, users of this table should be careful not to create entries that would result in instance names with more than 128 sub-identifiers." ::= { pmTrackingPEEntry 1 } pmTrackingPEContextName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "If the associated element is not in the default SNMP context for the target system, this object is used to identify the context. If the element is in the default context, this object is equal to the empty string." ::= { pmTrackingPEEntry 2 } pmTrackingPEContextEngineID OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0 | 5..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "If the associated element is on a remote system, this object is used to identify the remote system. This object contains the contextEngineID of the system on which the associated element resides. If the element is on the local system, this object will be the empty string." ::= { pmTrackingPEEntry 3 } pmTrackingPEInfo OBJECT-TYPE SYNTAX BITS { actionSkippedDueToPrecedence(0), conditionRunTimeException(1), conditionUserSignal(2), Waldbusser, et al. Standards Track [Page 105]
RFC 4011 Policy Based Management MIB March 2005 actionRunTimeException(3), actionUserSignal(4) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object returns information about the previous policy script executions. If the actionSkippedDueToPrecedence(1) bit is set, the last execution of the associated policy condition returned non-zero, but the action is not active, because it was trumped by a matching policy condition in the same precedence group with a higher precedence value. If the conditionRunTimeException(2) bit is set, the last execution of the associated policy condition encountered a run-time exception and aborted. If the conditionUserSignal(3) bit is set, the last execution of the associated policy condition called the signalError() function. If the actionRunTimeException(4) bit is set, the last execution of the associated policy action encountered a run-time exception and aborted. If the actionUserSignal(5) bit is set, the last execution of the associated policy action called the signalError() function. Entries will only exist in this table of one or more bits are set. In particular, if an entry does not exist for a particular policy/element combination, it can be assumed that the policy's condition did not match 'this element'." ::= { pmTrackingPEEntry 4 } -- Element to Policy Table pmTrackingEPTable OBJECT-TYPE SYNTAX SEQUENCE OF PmTrackingEPEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The pmTrackingEPTable describes what policies are controlling an element. This table is indexed in order to optimize retrieval of the status of all policies active for a given element." Waldbusser, et al. Standards Track [Page 106]
RFC 4011 Policy Based Management MIB March 2005 ::= { pmMib 10 } pmTrackingEPEntry OBJECT-TYPE SYNTAX PmTrackingEPEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the pmTrackingEPTable. Entries exist for all element/policy combinations for which the policy's condition matches and only if the schedule for the policy is active. The pmPolicyIndex in the index specifies the policy tracked by this entry. Note that some combinations of index values may result in an instance name that exceeds a length of 128 sub-identifiers, which exceeds the maximum for the SNMP protocol. Implementations should take care to avoid such combinations." INDEX { pmTrackingEPElement, pmTrackingEPContextName, pmTrackingEPContextEngineID, pmPolicyIndex } ::= { pmTrackingEPTable 1 } PmTrackingEPEntry ::= SEQUENCE { pmTrackingEPElement RowPointer, pmTrackingEPContextName SnmpAdminString, pmTrackingEPContextEngineID OCTET STRING, pmTrackingEPStatus INTEGER } pmTrackingEPElement OBJECT-TYPE SYNTAX RowPointer MAX-ACCESS not-accessible STATUS current DESCRIPTION "The element acted upon by the associated policy. As this object is used in the index for the pmTrackingEPTable, users of this table should be careful not to create entries that would result in instance names with more than 128 sub-identifiers." ::= { pmTrackingEPEntry 1 } pmTrackingEPContextName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "If the associated element is not in the default SNMP context Waldbusser, et al. Standards Track [Page 107]
RFC 4011 Policy Based Management MIB March 2005 for the target system, this object is used to identify the context. If the element is in the default context, this object is equal to the empty string." ::= { pmTrackingEPEntry 2 } pmTrackingEPContextEngineID OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0 | 5..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "If the associated element is on a remote system, this object is used to identify the remote system. This object contains the contextEngineID of the system on which the associated element resides. If the element is on the local system, this object will be the empty string." ::= { pmTrackingEPEntry 3 } pmTrackingEPStatus OBJECT-TYPE SYNTAX INTEGER { on(1), forceOff(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This entry will only exist if the calendar for the policy is active and if the associated policyCondition returned 1 for 'this element'. A policy can be forcibly disabled on a particular element by setting this value to forceOff(2). The agent should then act as though the policyCondition failed for 'this element'. The forceOff(2) state will persist (even across reboots) until this value is set to on(1) by a management request. The forceOff(2) state may be set even if the entry does not previously exist so that future policy invocations can be avoided. Unless forcibly disabled, if this entry exists, its value will be on(1)." ::= { pmTrackingEPEntry 4 } -- Policy Debugging Table pmDebuggingTable OBJECT-TYPE SYNTAX SEQUENCE OF PmDebuggingEntry MAX-ACCESS not-accessible STATUS current Waldbusser, et al. Standards Track [Page 108]
RFC 4011 Policy Based Management MIB March 2005 DESCRIPTION "Policies that have debugging turned on will generate a log entry in the policy debugging table for every runtime exception that occurs in either the condition or action code. The pmDebuggingTable logs debugging messages when policies experience run-time exceptions in either the condition or action code and the associated pmPolicyDebugging object has been turned on. The maximum number of debugging entries that will be stored and the maximum length of time an entry will be kept are an implementation-dependent manner. If entries must be discarded to make room for new entries, the oldest entries must be discarded first. If the system restarts, all debugging entries may be deleted." ::= { pmMib 11 } pmDebuggingEntry OBJECT-TYPE SYNTAX PmDebuggingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the pmDebuggingTable. The pmPolicyIndex in the index specifies the policy that encountered the exception that led to this log entry. Note that some combinations of index values may result in an instance name that exceeds a length of 128 sub-identifiers, which exceeds the maximum for the SNMP protocol. Implementations should take care to avoid such combinations." INDEX { pmPolicyIndex, pmDebuggingElement, pmDebuggingContextName, pmDebuggingContextEngineID, pmDebuggingLogIndex } ::= { pmDebuggingTable 1 } PmDebuggingEntry ::= SEQUENCE { pmDebuggingElement RowPointer, pmDebuggingContextName SnmpAdminString, pmDebuggingContextEngineID OCTET STRING, pmDebuggingLogIndex Unsigned32, pmDebuggingMessage PmUTF8String } Waldbusser, et al. Standards Track [Page 109]
RFC 4011 Policy Based Management MIB March 2005 pmDebuggingElement OBJECT-TYPE SYNTAX RowPointer MAX-ACCESS not-accessible STATUS current DESCRIPTION "The element the policy was executing on when it encountered the error that led to this log entry. For example, if the element is interface 3, then this object will contain the OID for 'ifIndex.3'. As this object is used in the index for the pmDebuggingTable, users of this table should be careful not to create entries that would result in instance names with more than 128 sub-identifiers." ::= { pmDebuggingEntry 1 } pmDebuggingContextName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "If the associated element is not in the default SNMP context for the target system, this object is used to identify the context. If the element is in the default context, this object is equal to the empty string." ::= { pmDebuggingEntry 2 } pmDebuggingContextEngineID OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0 | 5..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "If the associated element is on a remote system, this object is used to identify the remote system. This object contains the contextEngineID of the system on which the associated element resides. If the element is on the local system, this object will be the empty string." ::= { pmDebuggingEntry 3 } pmDebuggingLogIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique index for this log entry among other log entries for this policy/element combination." ::= { pmDebuggingEntry 4 } Waldbusser, et al. Standards Track [Page 110]
RFC 4011 Policy Based Management MIB March 2005 pmDebuggingMessage OBJECT-TYPE SYNTAX PmUTF8String (SIZE (0..128)) MAX-ACCESS read-only STATUS current DESCRIPTION "An error message generated by the policy execution environment. It is recommended that this message include the time of day when the message was generated, if known." ::= { pmDebuggingEntry 5 } -- Notifications pmNotifications OBJECT IDENTIFIER ::= { pmMib 0 } pmNewRoleNotification NOTIFICATION-TYPE OBJECTS { pmRoleStatus } STATUS current DESCRIPTION "The pmNewRoleNotification is sent when an agent is configured with its first instance of a previously unused role string (not every time a new element is given a particular role). An instance of the pmRoleStatus object is sent containing the new roleString in its index. In the event that two or more elements are given the same role simultaneously, it is an implementation-dependent matter as to which pmRoleTable instance will be included in the notification." ::= { pmNotifications 1 } pmNewCapabilityNotification NOTIFICATION-TYPE OBJECTS { pmCapabilitiesType } STATUS current DESCRIPTION "The pmNewCapabilityNotification is sent when an agent gains a new capability that did not previously exist in any element on the system (not every time an element gains a particular capability). An instance of the pmCapabilitiesType object is sent containing the identity of the new capability. In the event that two or more elements gain the same capability simultaneously, it is an implementation-dependent matter as to which pmCapabilitiesType instance will be included in the notification." ::= { pmNotifications 2 } pmAbnormalTermNotification NOTIFICATION-TYPE OBJECTS { pmTrackingPEInfo } STATUS current Waldbusser, et al. Standards Track [Page 111]
RFC 4011 Policy Based Management MIB March 2005 DESCRIPTION "The pmAbnormalTermNotification is sent when a policy's pmPolicyAbnormalTerminations gauge value changes from zero to any value greater than zero and no such notification has been sent for that policy in the last 5 minutes. The notification contains an instance of the pmTrackingPEInfo object where the pmPolicyIndex component of the index identifies the associated policy and the rest of the index identifies an element on which the policy failed." ::= { pmNotifications 3 } -- Compliance Statements pmConformance OBJECT IDENTIFIER ::= { pmMib 12 } pmCompliances OBJECT IDENTIFIER ::= { pmConformance 1 } pmGroups OBJECT IDENTIFIER ::= { pmConformance 2 } pmCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "Describes the requirements for conformance to the Policy-Based Management MIB" MODULE -- this module MANDATORY-GROUPS { pmPolicyManagementGroup, pmSchedGroup, pmNotificationGroup } ::= { pmCompliances 1 } pmPolicyManagementGroup OBJECT-GROUP OBJECTS { pmPolicyPrecedenceGroup, pmPolicyPrecedence, pmPolicySchedule, pmPolicyElementTypeFilter, pmPolicyConditionScriptIndex, pmPolicyActionScriptIndex, pmPolicyParameters, pmPolicyConditionMaxLatency, pmPolicyActionMaxLatency, pmPolicyMaxIterations, pmPolicyDescription, pmPolicyMatches, pmPolicyAbnormalTerminations, pmPolicyExecutionErrors, pmPolicyDebugging, pmPolicyStorageType, pmPolicyAdminStatus, pmPolicyRowStatus, pmPolicyCodeText, pmPolicyCodeStatus, pmElementTypeRegMaxLatency, pmElementTypeRegDescription, pmElementTypeRegStorageType, pmElementTypeRegRowStatus, pmRoleStatus, pmCapabilitiesType, pmCapabilitiesOverrideState, pmCapabilitiesOverrideRowStatus, pmTrackingPEInfo, pmTrackingEPStatus, pmDebuggingMessage } Waldbusser, et al. Standards Track [Page 112]
RFC 4011 Policy Based Management MIB March 2005 STATUS current DESCRIPTION "Objects that allow for the creation and management of configuration policies." ::= { pmGroups 1 } pmSchedGroup OBJECT-GROUP OBJECTS { pmSchedLocalTime, pmSchedGroupIndex, pmSchedDescr, pmSchedTimePeriod, pmSchedMonth, pmSchedDay, pmSchedWeekDay, pmSchedTimeOfDay, pmSchedLocalOrUtc, pmSchedStorageType, pmSchedRowStatus } STATUS current DESCRIPTION "Objects that allow for the scheduling of policies." ::= { pmGroups 2 } pmNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { pmNewRoleNotification, pmNewCapabilityNotification, pmAbnormalTermNotification } STATUS current DESCRIPTION "Notifications sent by an Policy MIB agent." ::= { pmGroups 3 } pmBaseFunctionLibrary OBJECT IDENTIFIER ::= { pmGroups 4 } END 12. Relationship to Other MIB Modules When policy-based management is used specifically for (policy-based) configuration, the "Configuring Networks and Devices With SNMP" RFC 3512 [19] document describes configuration management practices, terminology, and an example of a MIB Module that may be helpful to those developing and using this technology. The Policy MIB accesses system instrumentation for the purposes of policy evaluation, control, notification, monitoring, and error reporting. This information is available to managers in the form of MIB objects. Information about system configuration is modified by the Policy MIB through MIB objects defined in other MIB Modules. Details about the operational or configuration details of a system are retrieved by the manager via access to the specific MIB objects available in a network element. As such, the Policy MIB can use any Waldbusser, et al. Standards Track [Page 113]
RFC 4011 Policy Based Management MIB March 2005 standard or vendor-defined object that exists on a managed system. In particular, the Policy MIB may access standard or vendor specific objects that are instance-specific such as BGP timeout parameters and specific interface counters. 13. Security Considerations This MIB contains no objects for which read access would disclose sensitive information. There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. With the exception of pmPolicyDescription, pmPolicyDebugging, pmElementTypeRegDescription, and pmSchedDescr, EVERY read-create and read-write object in this MIB should be considered sensitive because if an unauthorized user could manipulate these objects, s/he could cause the Policy MIB system to use the stored credentials of an authorized user to perform unauthorized and potentially harmful operations. There are no read-only objects in this MIB that contain sensitive information. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [16], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. Waldbusser, et al. Standards Track [Page 114]
RFC 4011 Policy Based Management MIB March 2005 An implementation must ensure that access control rules are applied when SNMP operations are performed in policy scripts. To ensure this, an implementation must record and maintain the security credentials of the last entity to modify each policy's pmPolicyAdminStatus object. The credentials to store are the securityModel, securityName, and securityLevel and will be used as input parameters for isAccessAllowed from the Architecture for Describing SNMP Management Frameworks [1]. This mechanism was first introduced in the DISMAN-SCHEDULE-MIB [12]. SNMP requests made when secModel, secName, and secLevel are specified use credentials stored in the local configuration datastore. Access to these credentials depends on the security credentials of the last entity to modify the policy's pmPolicyAdminStatus object. To determine whether the credentials can be accessed, the isAccessAllowed abstract service interface defined in RFC 3411 [1] is called: statusInformation = -- success or errorIndication isAccessAllowed( IN securityModel -- Security Model used IN securityName -- principal who wants to access IN securityLevel -- Level of Security used IN viewType -- write IN contextName -- context containing variableName IN variableName -- OID for an object in the proper -- LCD entry ) The securityModel, securityName, and securityLevel parameters are set to the values that were recorded when the policy was modified. The viewType is set to write, and the contextName and variableName are set to select any read-create object in the appropriate LCD entry. Proper configuration of VACM requires that write access to an LCD entry not be given to entities that aren't authorized to use the credentials therein. Access control for SNMP requests made to the local system where secModel, secName, and secLevel aren't specified depends on the security credentials of the last entity to modify the policy's pmPolicyAdminStatus object. To determine whether the operation should succeed, the isAccessAllowed abstract service interface defined in RFC 3411 [1] is called: Waldbusser, et al. Standards Track [Page 115]
RFC 4011 Policy Based Management MIB March 2005 statusInformation = -- success or errorIndication isAccessAllowed( IN securityModel -- Security Model in use IN securityName -- principal who wants to access IN securityLevel -- Level of Security IN viewType -- read, write, or notify view IN contextName -- context as specified IN variableName -- OID for the managed object ) The securityModel, securityName, and securityLevel parameters are set to the values that were recorded when the policy was modified. The viewType, contextName, and variableName parameters are set as appropriate for the requested SNMP operation. Unless all users who have write access to the pmPolicyTable and pmPolicyCodeTable have equivalent access to the managed system, policy scripts could be used by a user to gain the privileges of another user. Therefore, when policy users have different access, access control should be applied so that a user's policies cannot be modified by another user. To make this more convenient, a user can place all of his or her policies in the same pmPolicyAdminGroup so that a single access control view can apply to all of them. Some policies may be designed to ensure the security of a network. If these policies have not been installed pending the appearance of a role or capability, some delay will occur in their activation policies when the role or capability appears because a responsible manager must notice the change and install the policy. This delay may expose the device or the network to unacceptable security vulnerabilities during this delay. If the role or capability appears during a time of network stress or when the management station is unavailable, this delay could be extensive, further increasing the exposure. It is recommended that management stations install any security-related policies that might ever be needed on a particular managed device, even if a nonexistent role or capability suggests that it is not needed at a given time. This MIB allows the delegation of access rights so that a user ("Joe") can instruct a Policy MIB agent to execute remote operations on his behalf that are authorized by keys stored by "Joe" into the usmUserTable. Care needs to be taken to ensure that unauthorized users are unable to configure their policies to use Joe's keys. Although there are theoretically many ways to configure SNMP security, users are advised to follow the most straightforward way outlined below to minimize complexity and the resulting opportunity for errors. Waldbusser, et al. Standards Track [Page 116]
RFC 4011 Policy Based Management MIB March 2005 Assume that Joe has credentials that give him authority to manage agents A, B, and C, as well as the Policy MIB agent "P". Joe will store credentials for Joe@A, Joe@B, and Joe@C in the usmUserTable of the Policy MIB agent. Then the following VACM configuration will be used: VACM securityToGroupTable A single entry mapping user Joe@P to group JoesGroup VACM accessTable A single entry mapping group JoesGroup to write view JoesView VACM viewTreeFamilyTable ViewName Subtree Type JoesView points to Joe@A in usmUserTable included JoesView points to Joe@B in usmUserTable included JoesView points to Joe@C in usmUserTable included In the preceding examples, the notation Joe@A represents the entry indexed by usmUserEngineID and usmUserName, where the SnmpEngineID is that of system A and the usmUserName is "Joe". 14. IANA Considerations This is a profile of stringprep. It has been registered by the IANA in the stringprep profile registry located at: http://www.iana.org/assignments/stringprep-profiles Name of this profile: Policy MIB Stringprep. RFC in which the profile is defined: This document. Indicator whether this is the newest version of the profile: This is the first version of Policy MIB Stringprep. Waldbusser, et al. Standards Track [Page 117]
RFC 4011 Policy Based Management MIB March 2005 15. Acknowledgements The authors gratefully acknowledge the significant contributions to this work made by Jeff Case, Patrik Falstrom, Joel Halpern, Pablo Halpern, Bob Moore, Steve Moulton, David Partain, and Walter Weiss. This MIB uses a security delegation mechanism that was first introduced in the DISMAN-SCHEDULE-MIB [12]. The Schedule table of this MIB borrows heavily from the PolicyTimePeriodCondition of the Policy Core Information Model (PCIM) [18] and from the DISMAN- SCHEDULE-MIB [12]. 16. References 16.1. Normative References [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [2] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [3] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [4] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [5] Presuhn, R., "Transport Mappings for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3417, December 2002. [6] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. [7] Presuhn, R., "Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3416, December 2002. [8] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence between Version 1, Version 2, and Version 3 of the Internet- standard Network Management Framework", BCP 74, RFC 3584, August 2003. Waldbusser, et al. Standards Track [Page 118]
RFC 4011 Policy Based Management MIB March 2005 [9] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002. [10] International Standards Organization, "Information Technology - Programming Languages - C++", ISO/IEC 14882-1998 [11] Daniele, M. and J. Schoenwaelder, "Textual Conventions for Transport Addresses", RFC 3419, December 2002. [12] Levi, D. and J. Schoenwaelder, "Definitions of Managed Objects for Scheduling Management Operations", RFC 3231, January 2002. [13] Hoffman, P. and M. Blanchet, "Preparation of Internationalized Strings ("stringprep")", RFC 3454, December 2002. [14] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. [15] Dawson, F. and D. Stenerson, "Internet Calendaring and Scheduling Core Object Specification (iCalendar)", RFC 2445, November 1998. 16.2. Informative References [16] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002. [17] ECMA, "ECMAScript Language Specification", ECMA-262, December 1999 [18] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001. [19] MacFaden, M., Partain, D., Saperia, J., and W. Tackabury, "Configuring Networks and Devices with Simple Network Management Protocol (SNMP)", RFC 3512, April 2003. Waldbusser, et al. Standards Track [Page 119]
RFC 4011 Policy Based Management MIB March 2005 Author's Addresses Steve Waldbusser Phone: +1-650-948-6500 Fax: +1-650-745-0671 EMail: waldbusser@nextbeacon.com Jon Saperia (WG Co-chair) JDS Consulting, Inc. 84 Kettell Plain Road. Stow MA 01775 USA Phone: +1-978-461--0249 Fax: +1-617-249-0874 EMail: saperia@jdscons.com Thippanna Hongal Riverstone Networks, Inc. 5200 Great America Parkway Santa Clara, CA, 95054 USA Phone: +1-408-878-6562 Fax: +1-408-878-6501 EMail: hongal@riverstonenet.com Waldbusser, et al. Standards Track [Page 120]
RFC 4011 Policy Based Management MIB March 2005 Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Waldbusser, et al. Standards Track [Page 121]

   

[Home] [Full RFC index] [RFC humour] [Our technology]

Copyright © Inter-Corporate Computer & Network Services, Inc.  All rights reserved.
All trademarks and RFC contents are the property of their respective owners.